US20170142096A1 - Endpoint privacy preservation with cloud conferencing - Google Patents

Endpoint privacy preservation with cloud conferencing Download PDF

Info

Publication number
US20170142096A1
US20170142096A1 US14/942,898 US201514942898A US2017142096A1 US 20170142096 A1 US20170142096 A1 US 20170142096A1 US 201514942898 A US201514942898 A US 201514942898A US 2017142096 A1 US2017142096 A1 US 2017142096A1
Authority
US
United States
Prior art keywords
endpoint
cloud
identity
access
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US14/942,898
Other versions
US10523657B2 (en
Inventor
K Tirumaleswar Reddy
Daniel G. Wing
Prashanth Patil
Sandeep Rao
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Technology Inc filed Critical Cisco Technology Inc
Priority to US14/942,898 priority Critical patent/US10523657B2/en
Assigned to CISCO TECHNOLOGY, INC. reassignment CISCO TECHNOLOGY, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: PATIL, PRASHANTH, RAO, SANDEEP, WING, DANIEL G., REDDY, K TIRUMALESWAR
Publication of US20170142096A1 publication Critical patent/US20170142096A1/en
Application granted granted Critical
Publication of US10523657B2 publication Critical patent/US10523657B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • H04L12/1813Arrangements for providing special services to substations for broadcast or conference, e.g. multicast for computer conferences, e.g. chat rooms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • H04L12/1813Arrangements for providing special services to substations for broadcast or conference, e.g. multicast for computer conferences, e.g. chat rooms
    • H04L12/1827Network arrangements for conference optimisation or adaptation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0414Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1069Session establishment or de-establishment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1096Supplementary features, e.g. call forwarding or call holding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications
    • H04L65/403Arrangements for multi-party communication, e.g. for conferences

Definitions

  • the present technology pertains to computer-based networking, and more specifically to privacy preservation in a cloud-based networking environment.
  • Such information may include sensitive data being shared such as work-related documents or the names of the parties communicating with each other and the organizations/enterprises that the parties belong to.
  • Parties communicating via a cloud-based network may not want unauthorized parties to know their identities due to privacy concerns. This may be due to the fact that inferences can be made if an unauthorized party is aware of the identities of parties in communication with each other via a cloud-based network. Such inferences may be reinforced when data regarding the amount and duration of communications between the parties is known in addition to the identities of the parties.
  • FIG. 1 illustrates an example cloud architecture including nodes and devices interconnected by various methods of communication
  • FIG. 2 illustrates an example cloud service management system
  • FIG. 3 illustrates an example network environment 300 which may utilize decentralized key distribution
  • FIG. 4 illustrates an example network environment 400 which may utilize centralized key distribution
  • FIG. 5 illustrates an example embodiment of token generation
  • FIG. 6 illustrates an example procedure utilizing a decentralized key distribution
  • FIG. 7 illustrates an example procedure utilizing a centralized key distribution
  • FIG. 8 illustrates an example architecture of some embodiments of the present technology
  • a first request may be received from a first endpoint to access a cloud-based conference platform.
  • the first request can include a first access token that does not include an identity of the first endpoint.
  • a second request may be received from a second endpoint to access the cloud-based conference platform.
  • the second request can include a second access token that does not include an identity of the second endpoint.
  • Data can be routed within the cloud-based conference platform between the first endpoint and second endpoint based at least upon the first certificate and the second certificate.
  • Some embodiments of the present technology can hide the identities of endpoints (for example, call participants) in a conference call using the cloud conference server while still allowing endpoints to exchange media (for example, voice/data/video) through the media distribution device (MDD) provided by the cloud conference service.
  • the participating endpoints can also be made aware of the identities of the other participating endpoints on the conference call. This may be accomplished, in some embodiments, by utilizing an authorization server to act as an intermediary to determine whether endpoints/call participants of an intended conference call conducted via a cloud conference server are authorized to participate in the conference call.
  • the authorization server may provide keys (for instance, encrypted keys) to the endpoints for verification that the endpoints may access the conference call.
  • the authorization server can be the Enterprise identity provider (IdP) to generate a certificate/token for an endpoint which is trying to establish its identity (may be referred to as an authenticating party or authenticating endpoint) to access to the cloud conference server, wherein the certificate may conceal the identity of the endpoint call participant.
  • the authenticating party/authenticating endpoint may also inform the identity provider about the identities of other participants in the conference call authorized to receive the identity of the authenticating party.
  • Assertion verification can be a process by which a relying party can verify that an assertion of a user's ownership of a certain credential/certificate is valid.
  • an IdP can provide a short-term certificate (e.g., single use) such that an ownership assertion needs to be changed for each request (e.g., each call) to access a cloud conferencing server so that the cloud conferencing server cannot identify that the same endpoint is making multiple calls.
  • Endpoints may use a third party authorization service (for example, OAuth 2.0) to gain access to a cloud conferencing server.
  • a third party authorization service for example, OAuth 2.0
  • an Enterprise identity provider can perform the role of authorization server and the cloud conferencing server can perform the role of resource server.
  • Endpoints may authenticate with the authorization server/Enterprise identity provider in order to receive an access token from the authorization server/Enterprise identity provider. The endpoints can then utilize the access token to receive authorization to access the cloud conferencing server and MDD.
  • the endpoints do not make their true identities known to the cloud conferencing server.
  • an IdP proxy can mask the true identities of authenticating parties/endpoints during identity assertion generation, which may be exchanged using an offer/answer process.
  • the IdP proxy can be implemented with a script (e.g., JavaScript®) that runs in an isolated security context within a network and communicates via a secure message passing channel.
  • Identity assertion generation may be followed by identity assertion validation/verification, which can be performed by the IdP proxy.
  • the identity assertion generated by the IdP proxy may not include the true identity of the authenticating party. Participants of the conference call can receive the true identity of the authenticating party, but identity assertion validation/verification performed by the MDD may not receive the true identity of the authenticating party since the MDD may not be authorized by the authenticating party to receive the true identity.
  • a web browser may instantiate an IdP proxy. This may allow the IdP to load any script necessary into the IdP proxy. The resulting code may run in the IdP's security context.
  • the IdP can register an object with the browser that conforms to a corresponding application program interface (API).
  • API application program interface
  • the web browser may invoke methods on the object registered by the IdP proxy to generate or verify/validate identity assertions.
  • Endpoint identities or true identities may refer to the identities of each individual participant and/or the identities of the organizations associated with the endpoints/call participants. Some embodiments of the present technology may hide the identities of the individual call participants/endpoints from the cloud conferencing server while some embodiments may hide both the identities of the individual call participants and the identities of the organizations associated with the call participants. This would, among other things, improve privacy among call participants because outside parties would not be able to make inferences based on tracked call sessions made in the cloud conference server.
  • a call session facilitated by a cloud conferencing server could be targeted to gain information which would be valuable to businesses competing with the participants of a call session.
  • the unauthorized third party could use the information to make inferences regarding the nature of the call session. For example, an unauthorized third party could infer that the endpoint parties of the call session are conducting business deals or negotiations. This information could be valuable to an unauthorized third party as it may allow the unauthorized third party to gain an unfair business advantage over its competitors by having information that was intended to be confidential.
  • privacy concerns may dictate a need for concealment of endpoint identities in a cloud conferencing server environment.
  • a decentralized key distribution method can include a first conference call participant (for example, a speaker in the conference call) who establishes a secure connection with other conference call participants.
  • the conference call participants can authenticate individually with an authentication server in order to receive a certificate/token for access to the conference call hosted by a cloud conference server.
  • the initiating participant may request from the authentication server an encrypted key/token/group identifier for distribution to the group of conference call participants in order to exchange media.
  • the cloud conference server cannot access the encrypted media exchanged between participants and does not know the identity of the participants, but can modify the Real-time Transport Protocol (RTP) header.
  • RTP Real-time Transport Protocol
  • a centralized key distribution method can include an on-premise Enterprise Key Management Server (KMS), which may act as an intermediary/proxy authorization server.
  • KMS on-premise Enterprise Key Management Server
  • Endpoint participants of a conference call can authenticate with the KMS, and the initiating endpoint participant may request a group identifier/encryption key from the KMS in order for the conference call participants to communicate with each other while utilizing the cloud conference server.
  • the KMS may provide the identities of conference call participants to other conference call participants authorized to receive the information.
  • FIG. 1 illustrates an example cloud architecture 100 including nodes and devices interconnected by various methods of communication.
  • Cloud 150 can be a public, private, and/or hybrid cloud system which may include one or more public and private cloud networks in communication with each other.
  • Cloud 150 can include resources, such as a cloud conferencing server 152 ; MDD 154 ; one or more Firewalls 197 ; Load Balancers 193 ; WAN optimization platforms 195 ; devices 187 , such as switches, routers, intrusion detection systems, Auto VPN systems, or any hardware or software network device; one or more servers 180 , such as a primary use network server, a data backup server, dynamic host configuration protocol (DHCP), domain naming system (DNS), or storage servers; virtual machines (VMs) 190 ; controllers, such as a communications controller 200 or a management device.
  • resources such as a cloud conferencing server 152 ; MDD 154 ; one or more Firewalls 197 ; Load Balancers 193 ; WAN optimization platforms 195 ; devices 187 , such as switches, routers, intrusion detection systems, Auto VPN systems, or any hardware or software network device; one or more servers 180 , such as a primary use network server, a data backup server, dynamic host configuration protocol (
  • MDD 154 can forward media flows transmitted by conference call participants to other conference call participants, and may sometimes forward only a subset of flows based on voice activity detection or other criteria.
  • a switching MDD 154 may make limited modifications to RTP [RFC3550] headers, for example, but the actual media content (e.g., voice or video data) can be unaltered.
  • RTP [RFC3550] headers for example, but the actual media content (e.g., voice or video data) can be unaltered.
  • An advantage of switched conferencing is that MDD 154 can be deployed on general-purpose computing hardware. This, in turn, means that it is possible to deploy a switching MDD 154 in virtualized environments, including private and public clouds.
  • Cloud resources can be physical, software, virtual, or any combination thereof.
  • a cloud resource can include a server running one or more VMs or storing one or more databases.
  • cloud resources can be provisioned based on requests (e.g., client or tenant requests), schedules, triggers, events, signals, messages, alerts, agreements, necessity, or any other factor.
  • cloud 150 can provision network recovery services, application services, software development services, database services, storage services, management services, monitoring services, configuration services, administration services, backup services, disaster recovery services, bandwidth or performance services, intrusion detection services, VPN services, or any type of services to any device, server, network, client, or tenant.
  • cloud 150 can handle traffic and/or provision services.
  • cloud 150 can provide network routing/re-routing services, network data backup services, configuration services, such as auto VPN, automated deployments, automated wireless configurations, automated policy implementations, and the like.
  • the cloud 150 can collect data about a client or network and generate configuration settings for specific service, device, or networking deployments.
  • the cloud 150 can generate security policies, subnetting and routing schemes, forwarding schemes, NAT settings, VPN settings, and/or any other type of configurations. The cloud 150 can then push or transmit the necessary data and settings to specific devices or components to manage a specific implementation or deployment.
  • the cloud 150 can generate VPN settings, such as IP mappings, port number, and security information, and send the VPN settings to specific, relevant device(s) or component(s) identified by the cloud 150 or otherwise designated. The relevant device(s) or component(s) can then use the VPN settings to establish a VPN tunnel according to the settings.
  • the cloud 150 can generate and manage network diagnostic tools or graphical user interfaces.
  • cloud 150 can provide specific services for clients—namely, client A 110 , client B 120 , and client C 130 .
  • cloud 150 can deploy a network or specific network components, configure links or devices, automate services or functions, or provide any other services for the clients.
  • Other non-limiting example services performable by cloud 150 can include network administration services, network monitoring services, content filtering services, application control, WAN optimization, firewall services, gateway services, storage services, protocol configuration services, wireless deployment services, and so forth.
  • the clients can connect with cloud 150 through networks 160 , 162 , and 164 , respectively. More specifically, client A 110 , client B 120 , and client C 130 can each connect with cloud 150 through networks 160 , 162 , and 164 , respectively, in order to access resources from cloud 150 , communicate with cloud 150 , or receive any services from cloud 150 .
  • Networks 160 , 162 , and 164 can each refer to a public network, such as the Internet; a private network, such as a LAN; a combination of networks; or any other network, such as a VPN or an overlay network.
  • the clients can each include one or more networks.
  • client A 110 , client B 120 , and client C 130 can each include one or more LANs and VLANs.
  • a client can represent one branch network, such as a LAN, or multiple branch networks, such as multiple remote networks.
  • client A 110 can represent a single LAN network or branch, or multiple branches or networks, such as a branch building or office network in Los Angeles and another branch building or office network in New York.
  • the multiple branches or networks can each have a designated connection to the cloud 150 .
  • each branch or network can maintain a tunnel to the cloud 150 .
  • all branches or networks for a specific client can connect to the cloud 150 via one or more specific branches or networks.
  • traffic for the different branches or networks of a client can be routed through one or more specific branches or networks.
  • client A 110 , client B 120 , and client C 130 can each include one or more routers, switches, appliances, client devices, VMs, or any other devices.
  • Each client can also maintain links between branches.
  • client A can have two branches, and the branches can maintain a link between each other.
  • branches can maintain a tunnel between each other, such as a VPN tunnel.
  • the link or tunnel between branches can be generated and/or maintained by the cloud 150 .
  • the cloud 150 can collect network and address settings for each branch and use those settings to establish a tunnel between branches.
  • the branches can use a respective tunnel between the respective branch and the cloud 150 to establish the tunnel between branches.
  • branch 1 can communicate with cloud 150 through a tunnel between branch 1 and cloud 150 to obtain the settings for establishing a tunnel between branch 1 and branch 2 .
  • Branch 2 can similarly communicate with cloud 150 through a tunnel between branch 2 and cloud 150 to obtain the settings for the tunnel between branch 1 and branch 2 .
  • cloud 150 can maintain information about each client network, in order to provide or support specific services for each client, such as network traffic monitoring, network traffic routing/re-routing, security, or VPN services. Cloud 150 can also maintain one or more links or tunnels to the clients. For example, cloud 150 can maintain a VPN tunnel to one or more devices in client A's network. In some cases, cloud 150 can configure the VPN tunnel for a client, maintain the VPN tunnel, or automatically update or establish any link or tunnel to the client or any devices of the client.
  • the cloud 150 can also monitor device and network health and status information for client A 110 , client B 120 , and client C 130 . To this end, client A 110 , client B 120 , and client C 130 can synchronize information with cloud 150 . Cloud 150 can also manage and deploy services for the clients. For example, cloud 150 can collect network information about client A 110 and generate network and device settings to automatically deploy a service for client A 110 . In addition, cloud 150 can update device, network, and service settings for the clients.
  • the cloud architecture 150 can include any number of nodes, devices, links, networks, or components. In fact, embodiments with different numbers and/or types of clients, networks, nodes, cloud components, servers, software components, devices, virtual or physical resources, configurations, topologies, services, appliances, deployments, or network devices are also contemplated herein. Further, cloud 150 can include any number or types of resources, which can be accessed and utilized by clients or tenants. The illustration and examples provided herein are intended for clarification of some embodiments of the present technology.
  • packets e.g., traffic and/or messages
  • packets can be exchanged among the various nodes and networks in the cloud architecture 100 using specific network protocols.
  • packets can be exchanged using wired protocols, wireless protocols, security protocols, OSI-Layer specific protocols, or any other protocols.
  • protocols can include Session Initiation Protocol (SIP), protocols from the Internet Protocol Suite, such as TCP/IP; OSI (Open Systems Interconnection) protocols, such as L1-L7 protocols; routing protocols, such as RIP, IGP, BGP, STP, ARP, OSPF, EIGRP, NAT; or any other protocols or standards, such as HTTP, SSH, SSL, RTP, FTP, SMTP, POP, PPP, NNTP, IMAP, Telnet, SSL, SFTP, WIFI, Bluetooth, VTP, ISL, IEEE 802 standards, L2TP, IPSec, etc.
  • various hardware and software components or devices can be implemented to facilitate communications both within a network and between networks.
  • the various hardware and software components or devices can also be referred to as nodes and some examples are switches, hubs, routers, access points (APs), antennas, network interface cards (NICs), modules, cables, firewalls, servers, repeaters, sensors, and the like.
  • FIG. 2 illustrates a schematic block diagram of an example communications controller 200 .
  • Communications controller 200 can serve as a cloud service management system for cloud 150 .
  • communications controller 200 can manage cloud operations, client communications, service provisioning, network configuration and monitoring, and the like.
  • cloud service provisioning such as cloud storage, media, streaming, security, or administration services.
  • communications controller 200 can manage VMs; networks, such as client networks or software-defined networks (SDNs); service provisioning; and the like.
  • SDNs software-defined networks
  • Communications controller 200 can include several subcomponents, including hardware and software components such as a scheduling function 204 , a processor 205 , a dashboard process 206 , data 208 , a networking function 210 , a management layer 212 , and a communication interface 202 .
  • the various subcomponents can be implemented as hardware and/or software components (e.g., processor 205 , memory, data structures, etc.).
  • FIG. 2 illustrates one example configuration of the various components of communications controller 200 , those of skill in the art will understand that the components can be configured in a number of different ways and can include any other type and number of components.
  • networking function 210 and management layer 212 can belong to one software module or multiple separate modules. Other modules can be combined or further divided up into more subcomponents.
  • Scheduling function 204 can manage scheduling of procedures, events, or communications. For example, scheduling function 204 can schedule when resources should be allocated from cloud 150 . As another example, scheduling function 204 can schedule when specific instructions or commands should be transmitted to the network (e.g., one or more client devices). In some cases, scheduling function 204 can provide scheduling for operations performed or executed by the various subcomponents of communications controller 200 . Scheduling function 204 can also schedule resource slots, virtual machines, bandwidth, device activity, status changes, nodes, updates, and the like.
  • Dashboard process 206 can provide an interface or front end where clients can access, consume, and generally monitor cloud services.
  • dashboard process 206 can provide a web-based frontend where clients can configure client devices or networks that are cloud-managed, provide client preferences, specify policies, enter data, upload statistics, configure interactions or operations, etc.
  • dashboard process 206 can provide visibility information, such as views of client networks or devices, and even provide diagnostic information, discussed in greater detail below—e.g., dashboard process 206 can provide a view of the status or conditions of the client's network, the operations taking place, services, performance, a topology or layout, specific network devices, protocols implemented, running processes, errors, notifications, alerts, network structure, ongoing communications, data analysis, etc.
  • dashboard process 206 can provide a graphical user interface (GUI) for the client to monitor the client network, the devices, statistics, errors, notifications, etc., and even make modifications or setting changes through the GUI.
  • GUI graphical user interface
  • the GUI can depict charts, lists, tables, tiles, network trees, maps, topologies, symbols, structures, or any graphical object or element.
  • the GUI can use color, font, shapes, or any other characteristics to depict scores, alerts, or conditions.
  • dashboard process 206 can also handle user or client requests. For example, the client can enter a service request through dashboard process 206 .
  • Data 208 can include any data or information, such as management data, statistics, settings, preferences, profile data, logs, notifications, attributes, configuration parameters, client information, network information, and the like.
  • communications controller 200 can collect network statistics from the client and store the statistics as part of data 208 .
  • data 208 can include performance and/or configuration information. This way, communications controller 200 can use data 208 to perform management or service operations for the client.
  • Data 208 can be stored on a storage or memory device on communications controller 200 , a separate storage device connected to communications controller 200 , or a remote storage device in communication with communications controller 200 .
  • Networking function 210 can perform networking calculations, such as network addressing, or networking service or operations, such as auto VPN configuration or traffic routing/re-routing.
  • networking function 210 can perform filtering functions, switching functions, failover functions, high availability functions, network or device deployment functions, resource allocation functions, messaging functions, traffic analysis functions, port configuration functions, mapping functions, packet manipulation functions, path calculation functions, loop detection, cost calculation, error detection, or otherwise manipulate data or networking devices.
  • networking function 210 can handle networking requests from other networks or devices and establish links between devices.
  • networking function 210 can perform queueing, messaging, or protocol operations.
  • Management layer 212 can include logic to perform management operations.
  • management layer 212 can include the logic to allow the various components of communications controller 200 to interface and work together.
  • Management layer 212 can also include the logic, functions, software, and procedure to allow communications controller 200 to perform monitoring, management, control, and administration operations of other devices, cloud 150 , the client, applications in cloud 150 , services provided to the client, or any other component or procedure.
  • Management layer 212 can include the logic to operate communications controller 200 and perform particular services configured on communications controller 200 .
  • management layer 212 can initiate, enable, or launch other instances in communications controller 200 and/or cloud 150 .
  • management layer 212 can also provide authentication and security services for cloud 150 , the client, controller 200 , and/or any other device or component.
  • management layer 212 can manage nodes, resources, VMs, settings, policies, protocols, communications, and the like.
  • management layer 212 and networking function 210 can be part of the same module. However, in some embodiments, management layer 212 and networking function 210 can be separate layers and/or modules.
  • Communications interface 202 allows communications controller 200 to communicate with the client, as well as any other device or network.
  • Communications interface 202 can be a network interface card (NIC), and can include wired and/or wireless capabilities.
  • Communications interface 202 allows communications controller 200 to send and receive data from other devices and networks.
  • communications controller 200 can include multiple communications interfaces for redundancy or failover.
  • communications controller 200 can include dual NICs for connection redundancy.
  • FIG. 3 illustrates an example network environment 300 which may utilize decentralized key distribution to increase privacy of endpoints (e.g., callers) in a conference call.
  • the network environment 300 can include one or more networks, such as networks 304 A and 304 B.
  • endpoint callers may originate their communications from either network 304 A or network 304 B, using cloud based network 302 with cloud server 360 to communicate in a cloud-based environment.
  • Networks 304 A and 304 B can include one or more local area networks (LANs), virtual LANs, wireless networks, physical network segments, logical network segments, underlay networks, overlay networks, etc.
  • Each of the networks 304 A and 304 B can also include one or more physical and/or logical network segments.
  • networks 304 A and 304 B can be segmented into VLANs in order to separate traffic within the networks 304 A and 304 B.
  • networks 304 A and 304 B can be interconnected by network 302 .
  • Network 302 can include a cloud-based computing network, server 360 , private network, such as a LAN, and/or a public network such as the Internet.
  • Networks 304 A and 304 B can include various devices 314 , 316 , 320 , 322 , 326 , 328 , 330 , 338 , 342 , 346 , 348 , 350 , 352 , such as servers and client devices, interconnected via network devices 306 - 310 , 312 , 332 - 336 , and 344 , such as routers, firewalls, switches, and so forth.
  • networks 304 A and 304 B can be cloud-based networks themselves and may include clusters of nodes.
  • networks 304 A and 304 B and/or one or more nodes in networks 304 A and 304 B can be configured to provision network or application services, such as firewall services, content filtering services, application security services, web security services, bandwidth services, VPN services, web services, database services, remote access services, Internet services, and so forth.
  • network or application services such as firewall services, content filtering services, application security services, web security services, bandwidth services, VPN services, web services, database services, remote access services, Internet services, and so forth.
  • Network 370 can be a cloud-based network with server 372 .
  • server 372 may serve the role of identity provider for endpoints/callers that desire an authorization token to communicate with other endpoints/callers in a communication between the parties such as for communication in a conference call facilitated in cloud network 302 by cloud server 360 .
  • client device (endpoint) 314 of network 304 A may desire communication with client device (endpoint) 352 of network 304 B via cloud network 302 .
  • endpoints 314 and 352 are shown as laptops, but may be represented by smartphones, desktop computers, tablets, and the like.
  • Endpoint 314 and endpoint 352 may desire that their communications via network 302 be private in that their identities are not detectable by third parties operating in cloud network 302 .
  • Endpoints 314 and 352 may gain access to cloud conferencing server 360 by utilizing, for example, OAuth 2.0.
  • authorization server 372 Prior to communicating with each other via the MDD in the cloud conferencing server 360 , both endpoints 314 and 352 may be authenticated with authorization server 372 .
  • Authorization server 372 can provide endpoints 314 and 352 with authorization tokens/certificates to access cloud conferencing server and MDD 360 .
  • the tokens/certificates utilized by endpoints 314 and 352 for access to cloud conferencing server 360 may not list the identities of endpoints 314 and 352 such that a third party gaining unauthorized access to the tokens would not be able to determine the identities of endpoints 314 and 352 .
  • the individual identities associated with endpoints 314 and 352 can be concealed in the tokens.
  • the tokens/certificates can be obtained by endpoints 314 and 352 by communicating with the identity provider 372 .
  • identity provider 372 may provide endpoints 314 and 352 with a short-term token/certificate, or a one-time use token.
  • An authenticating party for instance endpoint 314 or endpoint 352 , can request that identity provider 372 generate a token/certificate that does not include the identity of the authenticating party.
  • identity provider 372 can change for an endpoint for each call of a plurality of conference calls so that the cloud conferencing server cannot determine that the same endpoint is making multiple calls.
  • each endpoint may attempt to access cloud network 302 by providing their authenticated tokens/certificates.
  • cloud server 360 and identity provider 372 may be in communication such that identity provider 372 provides cloud server 360 with a listing of tokens assigned to endpoints/callers that are authorized to access cloud network 302 .
  • endpoints 314 and 352 may communicate with each other in cloud network 302 without cloud server 360 having access to their respective identities because cloud server 360 may only have information regarding authorized tokens and not the identities behind the authorized tokens/certificates. This can increase privacy among the communicating endpoints by preventing unauthorized parties from learning identifying information about the communicating endpoints. Further, this may prevent unauthorized parties from making inferences regarding the nature of the communications between the endpoint callers 314 and 352 .
  • identity provider 372 may create an identity assertion/token/certificate that disguises or omits the identity of the authenticated endpoint/caller.
  • identity provider 372 upon requesting access to cloud network 302 by, for example, an offer/answer procedure with cloud conferencing server 360 , the authenticated endpoint/caller can provide an authenticated token from identity provider 372 that does not contain identifying information of the authenticated endpoint/caller.
  • an authenticating endpoint/caller may provide identity provider 372 with information regarding the identities of other endpoints/callers that plan to join the conference call in cloud 302 .
  • the authenticating endpoint/caller may also provide identity provider 372 with a listing of other endpoints/callers authorized to receive the identity of the authenticating party. This can allow callers in cloud network 302 to confirm that the parties they are communicating with in cloud network 302 are the intended parties. In some embodiments, this can be achieved while withholding the identities of the communicating parties.
  • an endpoint/caller may convey IP addresses and port numbers in an offer/answer procedure for communicating, for example, group keys with other callers in cloud network 302 .
  • This may provide for group key management by providing to the conference call participants associated group identifiers/keys.
  • an initiating endpoint/caller may test connectivity with remote peers (e.g., other endpoints/callers) by using, for example, Interactive Connectivity Establishment (ICE).
  • ICE Interactive Connectivity Establishment
  • the initiating endpoint may establish a secure connection with the remote peers/remote endpoints/remote callers, and the remote callers can mutually authenticate using, for example, short-term certificates provided by identity provider 372 .
  • identity provider 372 e.g., a remote peer/caller desiring to join a conference call
  • the relying party can request identity provider 372 to provide the identity of an authenticated party (i.e., a remote peer on the same conference call).
  • the identity provider 372 may provide the identity of the authenticated party to the relying party. Identity provider 372 may determine parties authorized to receive identifying endpoint information by utilizing a list of authorized parties provided to it from the authenticating party.
  • the initiating endpoint/caller can generate a group identifier/group symmetric key (e.g., a group end-to-end encryption key) for encrypting and decrypting media exchanged between endpoints in a conference call hosted by cloud server 360 .
  • the initiating endpoint e.g., a speaker of the conference call
  • can distribute the group symmetric key and encryption algorithm e.g., Authenticated Encryption with Associated Data (AEAD) to the other participants/callers/endpoints in the conference call using a secure communication channel.
  • participants in the conference call can also establish a Datagram Transport Layer Security-Real-time Transport Protocol (DTLS-SRTP) session with cloud conferencing server 360 to generate a hop-by-hop key.
  • DTLS-SRTP Datagram Transport Layer Security-Real-time Transport Protocol
  • cloud conferencing server 360 may not have access to encrypted real-time media in cloud 302 that is communicated between endpoints 314 and 352 , but cloud conferencing server 360 may modify the RTP header associated with an encrypted communication.
  • network environment 300 The devices, nodes, and networks described in network environment 300 are non-limiting examples of devices, nodes, and networks provided for clarification purposes.
  • network environment 300 can include more or less devices, nodes, and networks than those depicted in FIG. 3 .
  • network environment 300 can include other configurations, architectures, topologies, and so forth. Indeed, other configurations, architectures, topologies, systems, and implementations are contemplated herein.
  • FIG. 4 illustrates an example network environment 400 which may utilize centralized key distribution to increase privacy of endpoints (e.g., callers) in a conference call.
  • the network environment 400 can include one or more networks, such as networks 304 A and 304 B.
  • endpoint callers may originate their communications from either network 304 A or network 304 B, using cloud based network 302 with cloud server 360 to communicate in a cloud-based environment.
  • Networks 304 A and 304 B can include one or more local area networks (LANs), virtual LANs, wireless networks, physical network segments, logical network segments, underlay networks, overlay networks, etc.
  • Each of the networks 304 A and 304 B can also include one or more physical and/or logical network segments.
  • networks 304 A and 304 B can be segmented into VLANs in order to separate traffic within the networks 304 A and 304 B.
  • networks 304 A and 304 B can be interconnected by network 302 .
  • Network 302 can include a cloud-based computing network, server 360 , private network, such as a LAN, and/or a public network such as the Internet.
  • Networks 304 A and 304 B can include various devices 314 , 316 , 320 , 326 , 328 , 330 , 338 , 342 , 346 , 348 , 350 , 352 , such as servers and client devices, interconnected via network devices 306 - 310 , 312 , 332 - 336 , and 344 , such as routers, firewalls, switches, and so forth.
  • networks 304 A and 304 B can be cloud-based networks themselves and may include clusters of nodes.
  • networks 304 A and 304 B and/or one or more nodes in networks 304 A and 304 B can be configured to provision network or application services, such as firewall services, content filtering services, application security services, web security services, bandwidth services, VPN services, web services, database services, remote access services, Internet services, and so forth.
  • network or application services such as firewall services, content filtering services, application security services, web security services, bandwidth services, VPN services, web services, database services, remote access services, Internet services, and so forth.
  • server 320 may serve the role of identity provider and key management server (KMS) for endpoints/callers that desire an authorization token to communicate with other endpoints/callers in a communication between the parties such as for communication in a conference call facilitated in cloud network 302 by cloud conferencing server 360 .
  • KMS 320 can be an on-premise enterprise KMS that may securely create, share, rotate, and store group end-to-end encryption keys for securing media communicated between endpoints/callers in a conference call facilitated by cloud conferencing server 360 in cloud network 302 .
  • endpoints in a conference call may communicate with KMS 320 directly or through cloud conference server 360 .
  • cloud conference server 360 may act as a transparent proxy that does not receive application layer (L7) data exchanged between endpoints/callers and KMS 320 .
  • Endpoints may authenticate with KMS 320 by using a token/certificate provided by the identity provider and identity assertion.
  • the endpoint initiating a media request via cloud conference server 360 can request KMS 320 to generate a group encryption key and can negotiate an encryption algorithm.
  • KMS 320 may also provide the identities of conference call participants that are authorized to receive the group keying material.
  • KMS 320 may use a push or pull model to provide the group keying material to the conference call participants.
  • client device (endpoint) 314 of network 304 A may desire communication with client device (endpoint) 352 of network 304 B via cloud network 302 .
  • endpoints 314 and 352 are shown as laptops, but may be represented by smartphones, desktop computers, tablets, and the like.
  • Endpoint 314 and endpoint 352 may desire that their communications via network 302 be private in that their identities are not detectable by third parties operating in cloud network 302 .
  • Endpoints 314 and 352 may gain access to cloud conferencing server 360 by utilizing, for example, OAuth 2.0.
  • identity provider/KMS 320 Prior to communicating with each other in via cloud conferencing server 360 , both endpoints 314 and 352 may be authenticated with identity provider/KMS 320 .
  • Identity provider/KMS 320 can provide endpoints 314 and 352 with authorization tokens/certificates to access cloud conferencing server 360 .
  • the tokens/certificates utilized by endpoints 314 and 352 for access to cloud conferencing server 360 may not list the identities of endpoints 314 and 352 such that a third party gaining unauthorized access to the tokens would not be able to determine the identities of endpoints 314 and 352 .
  • the organizations associated with endpoints 314 and 352 can be concealed in the tokens.
  • the tokens/certificates can be obtained by endpoints 314 and 352 by communicating with identity provider/KMS 320 .
  • identity provider/KMS 320 may provide endpoints 314 and 352 with a short-term token/certificate, or a one-time use token.
  • An authenticating party for instance endpoint 314 or endpoint 352 , can request that KMS 320 generate a token/certificate that does not include the identity of the authenticating party.
  • each endpoint may attempt to access cloud conferencing server 360 by providing their authenticated certificates.
  • cloud conferencing server 360 and identity provider/KMS 320 may be in communication such that identity provider/KMS 320 provides cloud server 360 with a listing of tokens assigned to endpoints/callers that are authorized to access cloud conferencing server 360 .
  • endpoints 314 and 352 may communicate with each other in cloud network 302 without cloud conferencing server 360 having access to their respective identities because cloud server 360 may only have information regarding authorized tokens and not the identities behind the authorized tokens/certificates. This can increase privacy among the communicating endpoints by preventing unauthorized parties from learning identifying information about the communicating endpoints. Further, this may prevent unauthorized parties from making inferences regarding the nature of the communications between the endpoint callers 314 and 352 .
  • identity provider/KMS 320 may create an identity assertion/token/certificate that disguises or omits the identity of the authenticated endpoint/caller.
  • the authenticated endpoint/caller upon requesting access to cloud network 302 by, for example, an offer/answer procedure with cloud conferencing server 360 , the authenticated endpoint/caller can provide an authenticated token from identity provider/KMS 320 that does not contain identifying information of the authenticated endpoint/caller.
  • an authenticating endpoint/caller may provide identity provider/KMS 320 with information regarding the identities of other endpoints/callers that plan to join the conference call in cloud 302 .
  • the authenticating endpoint/caller may also provide identity provider/KMS 320 with a listing of other endpoints/callers authorized to receive the identity of the authenticating party. This can allow callers in cloud network 302 to confirm that the parties they are communicating with in cloud network 302 are the intended parties. In some embodiments, this can be achieved while withholding the identities of the communicating parties.
  • network environment 400 The devices, nodes, and networks described in network environment 400 are non-limiting examples of devices, nodes, and networks provided for clarification purposes.
  • network environment 400 can include more or less devices, nodes, and networks than those depicted in FIG. 4 .
  • network environment 400 can include other configurations, architectures, topologies, and so forth. Indeed, other configurations, architectures, topologies, systems, and implementations are contemplated herein.
  • FIG. 5 illustrates an example embodiment of token generation.
  • a user 510 may utilize, for example, a laptop or other network computing device to receive an authenticated certificate/token that does not list the user's identification.
  • This certificate/token may be used to access a cloud conference server (not shown) such that the user's identity is not known to the cloud conference server, but may be disclosed to other callers in the user's call conference by utilization of, for example, a group identifier.
  • Server 512 may be an identity provider or key management server. Moreover, server 512 can function as an on-site enterprise key management server or as a remote server in a decentralized key distribution system.
  • step 502 involves user 510 authenticating its identity with server 512 .
  • Authentication can occur through use of, for instance, a user name and password.
  • Server 512 can generate key pairs at step 504 to send back to user 510 .
  • a public key can be sent back to server 512 .
  • server 512 may generate and sign the certificate/token and return the certificate/token to user 510 .
  • the signed certificate/token may not include the identity of user 510 such that user 510 can utilize the signed certificate/token to access a cloud conference server without the cloud conference server knowing the identity of user 510 or the devices used by user 510 to access the cloud conference server.
  • FIG. 6 illustrates an example procedure 600 for endpoint privacy preservation with cloud conferencing according to one or more embodiments of the present disclosure.
  • the steps outlined herein are exemplary and can be implemented in any combination thereof, including combinations that exclude, add, or modify steps shown in FIG. 6 .
  • a first request can be received from a first endpoint to access a cloud-based conference platform, wherein the first request includes a first access token.
  • a first certificate can be provided to the first endpoint, wherein the first certificate does not include an identity of the first endpoint.
  • procedure 600 may continue at step 604 wherein a second request may be received from a second endpoint to access the cloud-based conference platform, wherein the second request includes a second access token. Based at least on the second request, a second certificate can be provided to the second endpoint, wherein the second certificate does not include an identity of the second endpoint. If access to the cloud-based conference platform is authorized, procedure 600 may continue at step 606 wherein data can be routed within the cloud-based conference platform between the first endpoint and second endpoint using the MDD. Endpoints may authenticate with the MDD using, for example, a short-term certificate provided by the Enterprise IdP.
  • a listing of endpoints authorized to receive the identities of the other endpoints in the cloud-based conference platform that are communicating with each other may be provided to an identity provider.
  • a request may be received from the second endpoint for the identity of the first endpoint. If the second endpoint is authorized to receive the identity of the first endpoint (e.g., the second endpoint is one of the endpoints in the listing of endpoints authorized to receive the identity of the first endpoint), at step 610 , the identity of the first endpoint can be provided to the second endpoint.
  • procedure 600 may be optional as described above, the steps shown in FIG. 6 are merely examples for illustration, and steps may be included or excluded as desired. Further, while a particular order of the steps is shown, this ordering is merely illustrative, and any suitable arrangement of the steps may be utilized without departing from the scope of the embodiments described herein.
  • FIG. 7 illustrates an example procedure 700 for endpoint privacy preservation with cloud conferencing according to one or more embodiments of the present disclosure.
  • the steps outlined herein are exemplary and can be implemented in any combination thereof, including combinations that exclude, add, or modify steps shown in FIG. 7 .
  • a first request can be received from a first endpoint to access a cloud-based conference platform. If the first endpoint is authorized access to the cloud-based conference platform, procedure 700 can continue to step 704 .
  • a first access token can be provided to the first endpoint.
  • a first certificate can be provided to the first endpoint, wherein the first certificate does not include an identity of the first endpoint.
  • Procedure 700 continues at step 706 wherein a second request may be received from a second endpoint to access the cloud-based conference platform. If the second endpoint is authorized access to the cloud-based conference platform, procedure 700 can continue to step 708 .
  • a second access token can be provided to the second endpoint and based at least on the second request, a second certificate may be provided to the second endpoint, wherein the second certificate does not include an identity of the second endpoint.
  • the first endpoint and the second endpoint may communicate with each other in the cloud-based conference platform using at least the MDD. Endpoints can authenticate to the MDD using short-term certificates provided by the Enterprise Identity provider.
  • Procedure 700 may continue to step 710 wherein a listing of endpoints authorized to access the cloud-based conference platform can be received.
  • step 712 a request for an identity of an endpoint of the listing of endpoints authorized to access the cloud-based conference platform can be received. If the requesting endpoint is authorized to receive the requested identity, procedure 700 may continue to step 714 wherein the identity of the requested endpoint is provided to the requesting endpoint.
  • procedure 700 may be optional as described above, the steps shown in FIG. 7 are merely examples for illustration, and steps may be included or excluded as desired. Further, while a particular order of the steps is shown, this ordering is merely illustrative, and any suitable arrangement of the steps may be utilized without departing from the scope of the embodiments described herein.
  • FIG. 8 illustrates an example system architecture of some embodiments of the present technology. Persons of ordinary skill in the art will also readily appreciate that other system embodiments are possible.
  • FIG. 8 illustrates a conventional bus computing system architecture 800 wherein the components of the system are in electrical communication with each other using a bus 805 .
  • Exemplary system 800 includes a processing unit (CPU or processor) 810 and a system bus 805 that couples various system components including the system memory 815 , such as read only memory (ROM) 820 and random access memory (RAM) 825 , to the processor 810 .
  • the system 800 can include a cache of high-speed memory connected directly with, in close proximity to, or integrated as part of the processor 810 .
  • the system 800 can copy data from the memory 815 and/or the storage device 830 to the cache 812 for quick access by the processor 810 . In this way, the cache can provide a performance boost that avoids processor 810 delays while waiting for data.
  • the processor 810 can include any general purpose processor and a hardware module or software module, such as module 1 832 , module 2 834 , and module 3 836 stored in storage device 830 , configured to control the processor 810 as well as a special-purpose processor where software instructions are incorporated into the actual processor design.
  • the processor 810 may essentially be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc.
  • a multi-core processor may be symmetric or asymmetric.
  • an input device 845 can represent any number of input mechanisms, such as a microphone for speech, a touch-sensitive screen for gesture or graphical input, keyboard, mouse, motion input, speech and so forth.
  • An output device 835 can also be one or more of a number of output mechanisms known to those of skill in the art.
  • multimodal systems can enable a user to provide multiple types of input to communicate with the computing device 800 .
  • the communications interface 840 can generally govern and manage the user input and system output. There is no restriction on operating on any particular hardware arrangement and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed.
  • Storage device 830 can be a non-volatile memory and can be a hard disk or other types of computer readable media which can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs) 825 , read only memory (ROM) 820 , and hybrids thereof.
  • RAMs random access memories
  • ROM read only memory
  • the storage device 830 can include software modules 832 , 834 , 836 for controlling the processor 810 .
  • Other hardware or software modules are contemplated.
  • the storage device 830 can be connected to the system bus 805 .
  • a hardware module that performs a particular function can include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as the processor 810 , bus 805 , display 835 , and so forth, to carry out the function.
  • example system 800 can have more than one processor 810 or be part of a group or cluster of computing devices networked together to provide greater processing capability.
  • the present technology may be presented as including individual functional blocks including functional blocks comprising devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software.
  • the computer-readable storage devices, media, and memories can include a cable or wireless signal containing a bit stream and the like.
  • non-transitory computer-readable storage media exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.
  • Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network.
  • the computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.
  • Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, small form factor personal computers, personal digital assistants, rack mount devices, standalone devices, and so on. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.
  • the instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.
  • the techniques disclosed herein can provide increased privacy among endpoints communicating via a cloud-based network which may result in more efficient network packet processing as fewer data may be required for network packet transmissions, which may result in fewer processor cycles required to route signals and thus improved efficiency of the network processors used to implement some embodiments of the present technology.
  • Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network.
  • the computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code.
  • Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include cloud-based media, magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and the like.
  • devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, tablets, wearable devices, small form factor personal computers, personal digital assistants, and the like.
  • Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.

Abstract

In one embodiment, a first request may be received from a first endpoint to access a cloud-based conference platform. The first request can include a first access token. Based at least on the first request, a first certificate may be provided to the first endpoint, wherein the first certificate may not include an identity of the first endpoint. A second request may be received from a second endpoint to access the cloud-based conference platform. The second request can include a second access token. Based at least on the second request, a second certificate can be provided to the second endpoint, wherein the second certificate may not include an identity of the second endpoint. Data can be routed within the cloud-based conference platform between the first endpoint and second endpoint based at least upon the first certificate and the second certificate.

Description

    TECHNICAL FIELD
  • The present technology pertains to computer-based networking, and more specifically to privacy preservation in a cloud-based networking environment.
    • BACKGROUND
  • As more enterprises and private consumers shift toward cloud-based networking for communication and data manipulation, challenges arise due to an increasing amount of bad parties seeking to access, without authorization, information stored in cloud-based networks. Such information may include sensitive data being shared such as work-related documents or the names of the parties communicating with each other and the organizations/enterprises that the parties belong to. Parties communicating via a cloud-based network may not want unauthorized parties to know their identities due to privacy concerns. This may be due to the fact that inferences can be made if an unauthorized party is aware of the identities of parties in communication with each other via a cloud-based network. Such inferences may be reinforced when data regarding the amount and duration of communications between the parties is known in addition to the identities of the parties.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • In order to describe the manner in which the above-recited features and other advantages of the disclosure can be obtained, a more particular description of the principles briefly described above will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings. Understanding that these drawings depict only exemplary embodiments of the disclosure and are not therefore to be considered to be limiting its scope, the principles herein are described and explained with additional specificity and detail through the use of the accompanying drawings in which:
  • FIG. 1 illustrates an example cloud architecture including nodes and devices interconnected by various methods of communication;
  • FIG. 2 illustrates an example cloud service management system;
  • FIG. 3 illustrates an example network environment 300 which may utilize decentralized key distribution;
  • FIG. 4 illustrates an example network environment 400 which may utilize centralized key distribution;
  • FIG. 5 illustrates an example embodiment of token generation;
  • FIG. 6 illustrates an example procedure utilizing a decentralized key distribution;
  • FIG. 7 illustrates an example procedure utilizing a centralized key distribution;
  • FIG. 8 illustrates an example architecture of some embodiments of the present technology;
    •
  • A component or a feature that is common to more than one drawing is indicated with the same reference number in each of the drawings.
    • DESCRIPTION OF EXAMPLE EMBODIMENTS
  • Various embodiments of the disclosure are discussed in detail below. While specific implementations are discussed, it should be understood that this is done for illustration purposes only. A person skilled in the relevant art will recognize that other components and configurations may be used without parting from the spirit and scope of the disclosure.
    • Overview
  • In some embodiments, a first request may be received from a first endpoint to access a cloud-based conference platform. The first request can include a first access token that does not include an identity of the first endpoint. A second request may be received from a second endpoint to access the cloud-based conference platform. The second request can include a second access token that does not include an identity of the second endpoint. Data can be routed within the cloud-based conference platform between the first endpoint and second endpoint based at least upon the first certificate and the second certificate. These and other features are disclosed in greater detail below.
    • Description
  • Some embodiments of the present technology can hide the identities of endpoints (for example, call participants) in a conference call using the cloud conference server while still allowing endpoints to exchange media (for example, voice/data/video) through the media distribution device (MDD) provided by the cloud conference service. The participating endpoints can also be made aware of the identities of the other participating endpoints on the conference call. This may be accomplished, in some embodiments, by utilizing an authorization server to act as an intermediary to determine whether endpoints/call participants of an intended conference call conducted via a cloud conference server are authorized to participate in the conference call. The authorization server may provide keys (for instance, encrypted keys) to the endpoints for verification that the endpoints may access the conference call. In some embodiments, the authorization server can be the Enterprise identity provider (IdP) to generate a certificate/token for an endpoint which is trying to establish its identity (may be referred to as an authenticating party or authenticating endpoint) to access to the cloud conference server, wherein the certificate may conceal the identity of the endpoint call participant. The authenticating party/authenticating endpoint may also inform the identity provider about the identities of other participants in the conference call authorized to receive the identity of the authenticating party.
  • Assertion verification can be a process by which a relying party can verify that an assertion of a user's ownership of a certain credential/certificate is valid. In some embodiments, an IdP can provide a short-term certificate (e.g., single use) such that an ownership assertion needs to be changed for each request (e.g., each call) to access a cloud conferencing server so that the cloud conferencing server cannot identify that the same endpoint is making multiple calls.
  • Endpoints may use a third party authorization service (for example, OAuth 2.0) to gain access to a cloud conferencing server. In some embodiments, an Enterprise identity provider can perform the role of authorization server and the cloud conferencing server can perform the role of resource server. Endpoints may authenticate with the authorization server/Enterprise identity provider in order to receive an access token from the authorization server/Enterprise identity provider. The endpoints can then utilize the access token to receive authorization to access the cloud conferencing server and MDD. Thus, some embodiments provide that the endpoints do not make their true identities known to the cloud conferencing server.
  • In some embodiments, an IdP proxy can mask the true identities of authenticating parties/endpoints during identity assertion generation, which may be exchanged using an offer/answer process. The IdP proxy can be implemented with a script (e.g., JavaScript®) that runs in an isolated security context within a network and communicates via a secure message passing channel. Identity assertion generation may be followed by identity assertion validation/verification, which can be performed by the IdP proxy. In some embodiments, the identity assertion generated by the IdP proxy may not include the true identity of the authenticating party. Participants of the conference call can receive the true identity of the authenticating party, but identity assertion validation/verification performed by the MDD may not receive the true identity of the authenticating party since the MDD may not be authorized by the authenticating party to receive the true identity.
  • In some embodiments, a web browser may instantiate an IdP proxy. This may allow the IdP to load any script necessary into the IdP proxy. The resulting code may run in the IdP's security context. The IdP can register an object with the browser that conforms to a corresponding application program interface (API). The web browser may invoke methods on the object registered by the IdP proxy to generate or verify/validate identity assertions.
  • Endpoint identities or true identities may refer to the identities of each individual participant and/or the identities of the organizations associated with the endpoints/call participants. Some embodiments of the present technology may hide the identities of the individual call participants/endpoints from the cloud conferencing server while some embodiments may hide both the identities of the individual call participants and the identities of the organizations associated with the call participants. This would, among other things, improve privacy among call participants because outside parties would not be able to make inferences based on tracked call sessions made in the cloud conference server.
  • For instance, a call session facilitated by a cloud conferencing server could be targeted to gain information which would be valuable to businesses competing with the participants of a call session. If the true identities of the call session participants are discovered by an unauthorized third party, the unauthorized third party could use the information to make inferences regarding the nature of the call session. For example, an unauthorized third party could infer that the endpoint parties of the call session are conducting business deals or negotiations. This information could be valuable to an unauthorized third party as it may allow the unauthorized third party to gain an unfair business advantage over its competitors by having information that was intended to be confidential. Thus, privacy concerns may dictate a need for concealment of endpoint identities in a cloud conferencing server environment.
  • In some embodiments, a decentralized key distribution method can include a first conference call participant (for example, a speaker in the conference call) who establishes a secure connection with other conference call participants. The conference call participants can authenticate individually with an authentication server in order to receive a certificate/token for access to the conference call hosted by a cloud conference server. The initiating participant may request from the authentication server an encrypted key/token/group identifier for distribution to the group of conference call participants in order to exchange media. In some embodiments, the cloud conference server cannot access the encrypted media exchanged between participants and does not know the identity of the participants, but can modify the Real-time Transport Protocol (RTP) header.
  • In some embodiments, a centralized key distribution method can include an on-premise Enterprise Key Management Server (KMS), which may act as an intermediary/proxy authorization server. Endpoint participants of a conference call can authenticate with the KMS, and the initiating endpoint participant may request a group identifier/encryption key from the KMS in order for the conference call participants to communicate with each other while utilizing the cloud conference server. The KMS may provide the identities of conference call participants to other conference call participants authorized to receive the information.
  • In some embodiments, the present technology can be utilized in a cloud computing environment. For example, an exemplary cloud or virtual computing environment is provided in FIG. 1. FIG. 1 illustrates an example cloud architecture 100 including nodes and devices interconnected by various methods of communication. Cloud 150 can be a public, private, and/or hybrid cloud system which may include one or more public and private cloud networks in communication with each other. Cloud 150 can include resources, such as a cloud conferencing server 152; MDD 154; one or more Firewalls 197; Load Balancers 193; WAN optimization platforms 195; devices 187, such as switches, routers, intrusion detection systems, Auto VPN systems, or any hardware or software network device; one or more servers 180, such as a primary use network server, a data backup server, dynamic host configuration protocol (DHCP), domain naming system (DNS), or storage servers; virtual machines (VMs) 190; controllers, such as a communications controller 200 or a management device.
  • MDD 154 can forward media flows transmitted by conference call participants to other conference call participants, and may sometimes forward only a subset of flows based on voice activity detection or other criteria. In some embodiments, a switching MDD 154 may make limited modifications to RTP [RFC3550] headers, for example, but the actual media content (e.g., voice or video data) can be unaltered. An advantage of switched conferencing is that MDD 154 can be deployed on general-purpose computing hardware. This, in turn, means that it is possible to deploy a switching MDD 154 in virtualized environments, including private and public clouds.
  • Cloud resources can be physical, software, virtual, or any combination thereof. For example, a cloud resource can include a server running one or more VMs or storing one or more databases. Moreover, cloud resources can be provisioned based on requests (e.g., client or tenant requests), schedules, triggers, events, signals, messages, alerts, agreements, necessity, or any other factor. For example, cloud 150 can provision network recovery services, application services, software development services, database services, storage services, management services, monitoring services, configuration services, administration services, backup services, disaster recovery services, bandwidth or performance services, intrusion detection services, VPN services, or any type of services to any device, server, network, client, or tenant.
  • In addition, cloud 150 can handle traffic and/or provision services. For example, cloud 150 can provide network routing/re-routing services, network data backup services, configuration services, such as auto VPN, automated deployments, automated wireless configurations, automated policy implementations, and the like. In some embodiments, the cloud 150 can collect data about a client or network and generate configuration settings for specific service, device, or networking deployments. For example, the cloud 150 can generate security policies, subnetting and routing schemes, forwarding schemes, NAT settings, VPN settings, and/or any other type of configurations. The cloud 150 can then push or transmit the necessary data and settings to specific devices or components to manage a specific implementation or deployment. For example, the cloud 150 can generate VPN settings, such as IP mappings, port number, and security information, and send the VPN settings to specific, relevant device(s) or component(s) identified by the cloud 150 or otherwise designated. The relevant device(s) or component(s) can then use the VPN settings to establish a VPN tunnel according to the settings. As another example, the cloud 150 can generate and manage network diagnostic tools or graphical user interfaces.
  • Furthermore, cloud 150 can provide specific services for clients—namely, client A 110, client B 120, and client C 130. For example, cloud 150 can deploy a network or specific network components, configure links or devices, automate services or functions, or provide any other services for the clients. Other non-limiting example services performable by cloud 150 can include network administration services, network monitoring services, content filtering services, application control, WAN optimization, firewall services, gateway services, storage services, protocol configuration services, wireless deployment services, and so forth.
  • To this end, the clients can connect with cloud 150 through networks 160, 162, and 164, respectively. More specifically, client A 110, client B 120, and client C 130 can each connect with cloud 150 through networks 160, 162, and 164, respectively, in order to access resources from cloud 150, communicate with cloud 150, or receive any services from cloud 150. Networks 160, 162, and 164 can each refer to a public network, such as the Internet; a private network, such as a LAN; a combination of networks; or any other network, such as a VPN or an overlay network.
  • Moreover, the clients can each include one or more networks. For example, client A 110, client B 120, and client C 130 can each include one or more LANs and VLANs. In some cases, a client can represent one branch network, such as a LAN, or multiple branch networks, such as multiple remote networks. For example, client A 110 can represent a single LAN network or branch, or multiple branches or networks, such as a branch building or office network in Los Angeles and another branch building or office network in New York. If a client includes multiple branches or networks, the multiple branches or networks can each have a designated connection to the cloud 150. For example, each branch or network can maintain a tunnel to the cloud 150. Alternatively, all branches or networks for a specific client can connect to the cloud 150 via one or more specific branches or networks. For example, traffic for the different branches or networks of a client can be routed through one or more specific branches or networks. Further, client A 110, client B 120, and client C 130 can each include one or more routers, switches, appliances, client devices, VMs, or any other devices.
  • Each client can also maintain links between branches. For example, client A can have two branches, and the branches can maintain a link between each other. Thus, in some cases, branches can maintain a tunnel between each other, such as a VPN tunnel. Moreover, the link or tunnel between branches can be generated and/or maintained by the cloud 150. For example, the cloud 150 can collect network and address settings for each branch and use those settings to establish a tunnel between branches. In some cases, the branches can use a respective tunnel between the respective branch and the cloud 150 to establish the tunnel between branches. For example, branch 1 can communicate with cloud 150 through a tunnel between branch 1 and cloud 150 to obtain the settings for establishing a tunnel between branch 1 and branch 2. Branch 2 can similarly communicate with cloud 150 through a tunnel between branch 2 and cloud 150 to obtain the settings for the tunnel between branch 1 and branch 2.
  • In some cases, cloud 150 can maintain information about each client network, in order to provide or support specific services for each client, such as network traffic monitoring, network traffic routing/re-routing, security, or VPN services. Cloud 150 can also maintain one or more links or tunnels to the clients. For example, cloud 150 can maintain a VPN tunnel to one or more devices in client A's network. In some cases, cloud 150 can configure the VPN tunnel for a client, maintain the VPN tunnel, or automatically update or establish any link or tunnel to the client or any devices of the client.
  • The cloud 150 can also monitor device and network health and status information for client A 110, client B 120, and client C 130. To this end, client A 110, client B 120, and client C 130 can synchronize information with cloud 150. Cloud 150 can also manage and deploy services for the clients. For example, cloud 150 can collect network information about client A 110 and generate network and device settings to automatically deploy a service for client A 110. In addition, cloud 150 can update device, network, and service settings for the clients.
  • Those skilled in the art will understand that the cloud architecture 150 can include any number of nodes, devices, links, networks, or components. In fact, embodiments with different numbers and/or types of clients, networks, nodes, cloud components, servers, software components, devices, virtual or physical resources, configurations, topologies, services, appliances, deployments, or network devices are also contemplated herein. Further, cloud 150 can include any number or types of resources, which can be accessed and utilized by clients or tenants. The illustration and examples provided herein are intended for clarification of some embodiments of the present technology.
  • Moreover, as far as communications, packets (e.g., traffic and/or messages) can be exchanged among the various nodes and networks in the cloud architecture 100 using specific network protocols. In particular, packets can be exchanged using wired protocols, wireless protocols, security protocols, OSI-Layer specific protocols, or any other protocols. Some non-limiting examples of protocols can include Session Initiation Protocol (SIP), protocols from the Internet Protocol Suite, such as TCP/IP; OSI (Open Systems Interconnection) protocols, such as L1-L7 protocols; routing protocols, such as RIP, IGP, BGP, STP, ARP, OSPF, EIGRP, NAT; or any other protocols or standards, such as HTTP, SSH, SSL, RTP, FTP, SMTP, POP, PPP, NNTP, IMAP, Telnet, SSL, SFTP, WIFI, Bluetooth, VTP, ISL, IEEE 802 standards, L2TP, IPSec, etc. In addition, various hardware and software components or devices can be implemented to facilitate communications both within a network and between networks. The various hardware and software components or devices can also be referred to as nodes and some examples are switches, hubs, routers, access points (APs), antennas, network interface cards (NICs), modules, cables, firewalls, servers, repeaters, sensors, and the like.
  • FIG. 2 illustrates a schematic block diagram of an example communications controller 200. Communications controller 200 can serve as a cloud service management system for cloud 150. In particular, communications controller 200 can manage cloud operations, client communications, service provisioning, network configuration and monitoring, and the like. For example, communications controller 200 can manage cloud service provisioning, such as cloud storage, media, streaming, security, or administration services. In some embodiments, communications controller 200 can manage VMs; networks, such as client networks or software-defined networks (SDNs); service provisioning; and the like.
  • Communications controller 200 can include several subcomponents, including hardware and software components such as a scheduling function 204, a processor 205, a dashboard process 206, data 208, a networking function 210, a management layer 212, and a communication interface 202. The various subcomponents can be implemented as hardware and/or software components (e.g., processor 205, memory, data structures, etc.). Moreover, although FIG. 2 illustrates one example configuration of the various components of communications controller 200, those of skill in the art will understand that the components can be configured in a number of different ways and can include any other type and number of components. For example, networking function 210 and management layer 212 can belong to one software module or multiple separate modules. Other modules can be combined or further divided up into more subcomponents.
  • Scheduling function 204 can manage scheduling of procedures, events, or communications. For example, scheduling function 204 can schedule when resources should be allocated from cloud 150. As another example, scheduling function 204 can schedule when specific instructions or commands should be transmitted to the network (e.g., one or more client devices). In some cases, scheduling function 204 can provide scheduling for operations performed or executed by the various subcomponents of communications controller 200. Scheduling function 204 can also schedule resource slots, virtual machines, bandwidth, device activity, status changes, nodes, updates, and the like.
  • Dashboard process 206 can provide an interface or front end where clients can access, consume, and generally monitor cloud services. For example, dashboard process 206 can provide a web-based frontend where clients can configure client devices or networks that are cloud-managed, provide client preferences, specify policies, enter data, upload statistics, configure interactions or operations, etc. In some cases, dashboard process 206 can provide visibility information, such as views of client networks or devices, and even provide diagnostic information, discussed in greater detail below—e.g., dashboard process 206 can provide a view of the status or conditions of the client's network, the operations taking place, services, performance, a topology or layout, specific network devices, protocols implemented, running processes, errors, notifications, alerts, network structure, ongoing communications, data analysis, etc.
  • In some cases, dashboard process 206 can provide a graphical user interface (GUI) for the client to monitor the client network, the devices, statistics, errors, notifications, etc., and even make modifications or setting changes through the GUI. The GUI can depict charts, lists, tables, tiles, network trees, maps, topologies, symbols, structures, or any graphical object or element. In addition, the GUI can use color, font, shapes, or any other characteristics to depict scores, alerts, or conditions. In some cases, dashboard process 206 can also handle user or client requests. For example, the client can enter a service request through dashboard process 206.
  • Data 208 can include any data or information, such as management data, statistics, settings, preferences, profile data, logs, notifications, attributes, configuration parameters, client information, network information, and the like. For example, communications controller 200 can collect network statistics from the client and store the statistics as part of data 208. In some cases, data 208 can include performance and/or configuration information. This way, communications controller 200 can use data 208 to perform management or service operations for the client. Data 208 can be stored on a storage or memory device on communications controller 200, a separate storage device connected to communications controller 200, or a remote storage device in communication with communications controller 200.
  • Networking function 210 can perform networking calculations, such as network addressing, or networking service or operations, such as auto VPN configuration or traffic routing/re-routing. For example, networking function 210 can perform filtering functions, switching functions, failover functions, high availability functions, network or device deployment functions, resource allocation functions, messaging functions, traffic analysis functions, port configuration functions, mapping functions, packet manipulation functions, path calculation functions, loop detection, cost calculation, error detection, or otherwise manipulate data or networking devices. In some embodiments, networking function 210 can handle networking requests from other networks or devices and establish links between devices. In some embodiments, networking function 210 can perform queueing, messaging, or protocol operations.
  • Management layer 212 can include logic to perform management operations. For example, management layer 212 can include the logic to allow the various components of communications controller 200 to interface and work together. Management layer 212 can also include the logic, functions, software, and procedure to allow communications controller 200 to perform monitoring, management, control, and administration operations of other devices, cloud 150, the client, applications in cloud 150, services provided to the client, or any other component or procedure. Management layer 212 can include the logic to operate communications controller 200 and perform particular services configured on communications controller 200.
  • Moreover, management layer 212 can initiate, enable, or launch other instances in communications controller 200 and/or cloud 150. In some embodiments management layer 212 can also provide authentication and security services for cloud 150, the client, controller 200, and/or any other device or component. Further, management layer 212 can manage nodes, resources, VMs, settings, policies, protocols, communications, and the like. In some embodiments, management layer 212 and networking function 210 can be part of the same module. However, in some embodiments, management layer 212 and networking function 210 can be separate layers and/or modules.
  • Communications interface 202 allows communications controller 200 to communicate with the client, as well as any other device or network. Communications interface 202 can be a network interface card (NIC), and can include wired and/or wireless capabilities. Communications interface 202 allows communications controller 200 to send and receive data from other devices and networks. In some embodiments, communications controller 200 can include multiple communications interfaces for redundancy or failover. For example, communications controller 200 can include dual NICs for connection redundancy.
  • FIG. 3 illustrates an example network environment 300 which may utilize decentralized key distribution to increase privacy of endpoints (e.g., callers) in a conference call. The network environment 300 can include one or more networks, such as networks 304A and 304B. In some embodiments, endpoint callers may originate their communications from either network 304A or network 304B, using cloud based network 302 with cloud server 360 to communicate in a cloud-based environment. Networks 304A and 304B can include one or more local area networks (LANs), virtual LANs, wireless networks, physical network segments, logical network segments, underlay networks, overlay networks, etc. Each of the networks 304A and 304B can also include one or more physical and/or logical network segments. For example, networks 304A and 304B can be segmented into VLANs in order to separate traffic within the networks 304A and 304B. Moreover, networks 304A and 304B can be interconnected by network 302. Network 302 can include a cloud-based computing network, server 360, private network, such as a LAN, and/or a public network such as the Internet.
  • Networks 304A and 304B can include various devices 314, 316, 320, 322, 326, 328, 330, 338, 342, 346, 348, 350, 352, such as servers and client devices, interconnected via network devices 306-310, 312, 332-336, and 344, such as routers, firewalls, switches, and so forth. In some embodiments, networks 304A and 304B can be cloud-based networks themselves and may include clusters of nodes. Further, networks 304A and 304B and/or one or more nodes in networks 304A and 304B can be configured to provision network or application services, such as firewall services, content filtering services, application security services, web security services, bandwidth services, VPN services, web services, database services, remote access services, Internet services, and so forth.
  • Network 370 can be a cloud-based network with server 372. In some embodiments, server 372 may serve the role of identity provider for endpoints/callers that desire an authorization token to communicate with other endpoints/callers in a communication between the parties such as for communication in a conference call facilitated in cloud network 302 by cloud server 360.
  • In some embodiments, client device (endpoint) 314 of network 304A may desire communication with client device (endpoint) 352 of network 304B via cloud network 302. It is noted that endpoints 314 and 352 are shown as laptops, but may be represented by smartphones, desktop computers, tablets, and the like. Endpoint 314 and endpoint 352 may desire that their communications via network 302 be private in that their identities are not detectable by third parties operating in cloud network 302. Endpoints 314 and 352 may gain access to cloud conferencing server 360 by utilizing, for example, OAuth 2.0. Prior to communicating with each other via the MDD in the cloud conferencing server 360, both endpoints 314 and 352 may be authenticated with authorization server 372. Authorization server 372 can provide endpoints 314 and 352 with authorization tokens/certificates to access cloud conferencing server and MDD 360.
  • The tokens/certificates utilized by endpoints 314 and 352 for access to cloud conferencing server 360 may not list the identities of endpoints 314 and 352 such that a third party gaining unauthorized access to the tokens would not be able to determine the identities of endpoints 314 and 352. In some embodiments, the individual identities associated with endpoints 314 and 352 can be concealed in the tokens. The tokens/certificates can be obtained by endpoints 314 and 352 by communicating with the identity provider 372. In some embodiments, identity provider 372 may provide endpoints 314 and 352 with a short-term token/certificate, or a one-time use token. An authenticating party, for instance endpoint 314 or endpoint 352, can request that identity provider 372 generate a token/certificate that does not include the identity of the authenticating party. In some embodiments, short-term certificates and identity assertions can be changed for an endpoint for each call of a plurality of conference calls so that the cloud conferencing server cannot determine that the same endpoint is making multiple calls.
  • After endpoints 314 and 352 receive their authenticated tokens/certificates, each endpoint may attempt to access cloud network 302 by providing their authenticated tokens/certificates. In some embodiments, cloud server 360 and identity provider 372 may be in communication such that identity provider 372 provides cloud server 360 with a listing of tokens assigned to endpoints/callers that are authorized to access cloud network 302. Thus, in some embodiments, when endpoints 314 and 352 receive their authenticated tokens and short-term certificates, they may communicate with each other in cloud network 302 without cloud server 360 having access to their respective identities because cloud server 360 may only have information regarding authorized tokens and not the identities behind the authorized tokens/certificates. This can increase privacy among the communicating endpoints by preventing unauthorized parties from learning identifying information about the communicating endpoints. Further, this may prevent unauthorized parties from making inferences regarding the nature of the communications between the endpoint callers 314 and 352.
  • In some embodiments, identity provider 372 may create an identity assertion/token/certificate that disguises or omits the identity of the authenticated endpoint/caller. Thus, upon requesting access to cloud network 302 by, for example, an offer/answer procedure with cloud conferencing server 360, the authenticated endpoint/caller can provide an authenticated token from identity provider 372 that does not contain identifying information of the authenticated endpoint/caller. In some embodiments, upon requesting a token/certificate to enter a conference call hosted by cloud conferencing server 360, an authenticating endpoint/caller may provide identity provider 372 with information regarding the identities of other endpoints/callers that plan to join the conference call in cloud 302. The authenticating endpoint/caller may also provide identity provider 372 with a listing of other endpoints/callers authorized to receive the identity of the authenticating party. This can allow callers in cloud network 302 to confirm that the parties they are communicating with in cloud network 302 are the intended parties. In some embodiments, this can be achieved while withholding the identities of the communicating parties.
  • This may be accomplished by utilizing a decentralized key distribution procedure. In a decentralized key distribution system, an endpoint/caller may convey IP addresses and port numbers in an offer/answer procedure for communicating, for example, group keys with other callers in cloud network 302. This may provide for group key management by providing to the conference call participants associated group identifiers/keys.
  • In a decentralized key distribution system, an initiating endpoint/caller may test connectivity with remote peers (e.g., other endpoints/callers) by using, for example, Interactive Connectivity Establishment (ICE). The initiating endpoint may establish a secure connection with the remote peers/remote endpoints/remote callers, and the remote callers can mutually authenticate using, for example, short-term certificates provided by identity provider 372. This can be done by a relying party (e.g., a remote peer/caller desiring to join a conference call) validating their remote peer's certificate and assertion. The relying party can request identity provider 372 to provide the identity of an authenticated party (i.e., a remote peer on the same conference call). If the relying party is authorized to receive the identity of the authenticated party, the identity provider 372 may provide the identity of the authenticated party to the relying party. Identity provider 372 may determine parties authorized to receive identifying endpoint information by utilizing a list of authorized parties provided to it from the authenticating party.
  • The initiating endpoint/caller can generate a group identifier/group symmetric key (e.g., a group end-to-end encryption key) for encrypting and decrypting media exchanged between endpoints in a conference call hosted by cloud server 360. The initiating endpoint (e.g., a speaker of the conference call) can distribute the group symmetric key and encryption algorithm (e.g., Authenticated Encryption with Associated Data (AEAD) to the other participants/callers/endpoints in the conference call using a secure communication channel. In some embodiments, participants in the conference call can also establish a Datagram Transport Layer Security-Real-time Transport Protocol (DTLS-SRTP) session with cloud conferencing server 360 to generate a hop-by-hop key. The participants in the conference call may use a group end-to-end key to encrypt media transmitted in cloud network 302 to other participants in the conference call. The conference call participants may use the hop-by-hop key to encrypt RTP Control Protocol (RTCP) communications and calculate message integrity for Real-time Transport Protocol (RTP) headers. Thus, in some embodiments, cloud conferencing server 360 may not have access to encrypted real-time media in cloud 302 that is communicated between endpoints 314 and 352, but cloud conferencing server 360 may modify the RTP header associated with an encrypted communication.
  • The devices, nodes, and networks described in network environment 300 are non-limiting examples of devices, nodes, and networks provided for clarification purposes. One of ordinary skill in the art will readily recognize that network environment 300 can include more or less devices, nodes, and networks than those depicted in FIG. 3. Moreover, one of ordinary skill in the art will readily recognize that network environment 300 can include other configurations, architectures, topologies, and so forth. Indeed, other configurations, architectures, topologies, systems, and implementations are contemplated herein.
  • FIG. 4 illustrates an example network environment 400 which may utilize centralized key distribution to increase privacy of endpoints (e.g., callers) in a conference call. The network environment 400 can include one or more networks, such as networks 304A and 304B. In some embodiments, endpoint callers may originate their communications from either network 304A or network 304B, using cloud based network 302 with cloud server 360 to communicate in a cloud-based environment. Networks 304A and 304B can include one or more local area networks (LANs), virtual LANs, wireless networks, physical network segments, logical network segments, underlay networks, overlay networks, etc. Each of the networks 304A and 304B can also include one or more physical and/or logical network segments. For example, networks 304A and 304B can be segmented into VLANs in order to separate traffic within the networks 304A and 304B. Moreover, networks 304A and 304B can be interconnected by network 302. Network 302 can include a cloud-based computing network, server 360, private network, such as a LAN, and/or a public network such as the Internet.
  • Networks 304A and 304B can include various devices 314, 316, 320, 326, 328, 330, 338, 342, 346, 348, 350, 352, such as servers and client devices, interconnected via network devices 306-310, 312, 332-336, and 344, such as routers, firewalls, switches, and so forth. In some embodiments, networks 304A and 304B can be cloud-based networks themselves and may include clusters of nodes. Further, networks 304A and 304B and/or one or more nodes in networks 304A and 304B can be configured to provision network or application services, such as firewall services, content filtering services, application security services, web security services, bandwidth services, VPN services, web services, database services, remote access services, Internet services, and so forth.
  • In some embodiments, server 320 may serve the role of identity provider and key management server (KMS) for endpoints/callers that desire an authorization token to communicate with other endpoints/callers in a communication between the parties such as for communication in a conference call facilitated in cloud network 302 by cloud conferencing server 360. KMS 320 can be an on-premise enterprise KMS that may securely create, share, rotate, and store group end-to-end encryption keys for securing media communicated between endpoints/callers in a conference call facilitated by cloud conferencing server 360 in cloud network 302. In some embodiments, endpoints in a conference call may communicate with KMS 320 directly or through cloud conference server 360. Thus, cloud conference server 360 may act as a transparent proxy that does not receive application layer (L7) data exchanged between endpoints/callers and KMS 320. Endpoints may authenticate with KMS 320 by using a token/certificate provided by the identity provider and identity assertion. The endpoint initiating a media request via cloud conference server 360 can request KMS 320 to generate a group encryption key and can negotiate an encryption algorithm. KMS 320 may also provide the identities of conference call participants that are authorized to receive the group keying material. Moreover, KMS 320 may use a push or pull model to provide the group keying material to the conference call participants.
  • In some embodiments that utilize centralized key distribution, client device (endpoint) 314 of network 304A may desire communication with client device (endpoint) 352 of network 304B via cloud network 302. It is noted that endpoints 314 and 352 are shown as laptops, but may be represented by smartphones, desktop computers, tablets, and the like. Endpoint 314 and endpoint 352 may desire that their communications via network 302 be private in that their identities are not detectable by third parties operating in cloud network 302. Endpoints 314 and 352 may gain access to cloud conferencing server 360 by utilizing, for example, OAuth 2.0. Prior to communicating with each other in via cloud conferencing server 360, both endpoints 314 and 352 may be authenticated with identity provider/KMS 320. Identity provider/KMS 320 can provide endpoints 314 and 352 with authorization tokens/certificates to access cloud conferencing server 360.
  • The tokens/certificates utilized by endpoints 314 and 352 for access to cloud conferencing server 360 may not list the identities of endpoints 314 and 352 such that a third party gaining unauthorized access to the tokens would not be able to determine the identities of endpoints 314 and 352. In some embodiments, the organizations associated with endpoints 314 and 352 can be concealed in the tokens. The tokens/certificates can be obtained by endpoints 314 and 352 by communicating with identity provider/KMS 320. In some embodiments, identity provider/KMS 320 may provide endpoints 314 and 352 with a short-term token/certificate, or a one-time use token. An authenticating party, for instance endpoint 314 or endpoint 352, can request that KMS 320 generate a token/certificate that does not include the identity of the authenticating party.
  • After endpoints 314 and 352 receive their authenticated tokens/certificates, each endpoint may attempt to access cloud conferencing server 360 by providing their authenticated certificates. In some embodiments, cloud conferencing server 360 and identity provider/KMS 320 may be in communication such that identity provider/KMS 320 provides cloud server 360 with a listing of tokens assigned to endpoints/callers that are authorized to access cloud conferencing server 360. Thus, in some embodiments, when endpoints 314 and 352 receive their authenticated tokens, they may communicate with each other in cloud network 302 without cloud conferencing server 360 having access to their respective identities because cloud server 360 may only have information regarding authorized tokens and not the identities behind the authorized tokens/certificates. This can increase privacy among the communicating endpoints by preventing unauthorized parties from learning identifying information about the communicating endpoints. Further, this may prevent unauthorized parties from making inferences regarding the nature of the communications between the endpoint callers 314 and 352.
  • In some embodiments, identity provider/KMS 320 may create an identity assertion/token/certificate that disguises or omits the identity of the authenticated endpoint/caller. Thus, upon requesting access to cloud network 302 by, for example, an offer/answer procedure with cloud conferencing server 360, the authenticated endpoint/caller can provide an authenticated token from identity provider/KMS 320 that does not contain identifying information of the authenticated endpoint/caller. In some embodiments, upon requesting a token/certificate to enter a conference call hosted by cloud conferencing server 360, an authenticating endpoint/caller may provide identity provider/KMS 320 with information regarding the identities of other endpoints/callers that plan to join the conference call in cloud 302. The authenticating endpoint/caller may also provide identity provider/KMS 320 with a listing of other endpoints/callers authorized to receive the identity of the authenticating party. This can allow callers in cloud network 302 to confirm that the parties they are communicating with in cloud network 302 are the intended parties. In some embodiments, this can be achieved while withholding the identities of the communicating parties.
  • The devices, nodes, and networks described in network environment 400 are non-limiting examples of devices, nodes, and networks provided for clarification purposes. One of ordinary skill in the art will readily recognize that network environment 400 can include more or less devices, nodes, and networks than those depicted in FIG. 4. Moreover, one of ordinary skill in the art will readily recognize that network environment 400 can include other configurations, architectures, topologies, and so forth. Indeed, other configurations, architectures, topologies, systems, and implementations are contemplated herein.
  • FIG. 5 illustrates an example embodiment of token generation. A user 510 may utilize, for example, a laptop or other network computing device to receive an authenticated certificate/token that does not list the user's identification. This certificate/token may be used to access a cloud conference server (not shown) such that the user's identity is not known to the cloud conference server, but may be disclosed to other callers in the user's call conference by utilization of, for example, a group identifier. Server 512 may be an identity provider or key management server. Moreover, server 512 can function as an on-site enterprise key management server or as a remote server in a decentralized key distribution system. In FIG. 5, step 502 involves user 510 authenticating its identity with server 512. Authentication can occur through use of, for instance, a user name and password. Server 512 can generate key pairs at step 504 to send back to user 510. At step 506, a public key can be sent back to server 512. At step 508, server 512 may generate and sign the certificate/token and return the certificate/token to user 510. In some embodiments, the signed certificate/token may not include the identity of user 510 such that user 510 can utilize the signed certificate/token to access a cloud conference server without the cloud conference server knowing the identity of user 510 or the devices used by user 510 to access the cloud conference server.
  • FIG. 6 illustrates an example procedure 600 for endpoint privacy preservation with cloud conferencing according to one or more embodiments of the present disclosure. The steps outlined herein are exemplary and can be implemented in any combination thereof, including combinations that exclude, add, or modify steps shown in FIG. 6. At step 602, a first request can be received from a first endpoint to access a cloud-based conference platform, wherein the first request includes a first access token. Based at least on the first request, a first certificate can be provided to the first endpoint, wherein the first certificate does not include an identity of the first endpoint. If access to the cloud-based conference platform is authorized, procedure 600 may continue at step 604 wherein a second request may be received from a second endpoint to access the cloud-based conference platform, wherein the second request includes a second access token. Based at least on the second request, a second certificate can be provided to the second endpoint, wherein the second certificate does not include an identity of the second endpoint. If access to the cloud-based conference platform is authorized, procedure 600 may continue at step 606 wherein data can be routed within the cloud-based conference platform between the first endpoint and second endpoint using the MDD. Endpoints may authenticate with the MDD using, for example, a short-term certificate provided by the Enterprise IdP.
  • A listing of endpoints authorized to receive the identities of the other endpoints in the cloud-based conference platform that are communicating with each other may be provided to an identity provider. At step 608, a request may be received from the second endpoint for the identity of the first endpoint. If the second endpoint is authorized to receive the identity of the first endpoint (e.g., the second endpoint is one of the endpoints in the listing of endpoints authorized to receive the identity of the first endpoint), at step 610, the identity of the first endpoint can be provided to the second endpoint.
  • It should be noted that while certain steps within procedure 600 may be optional as described above, the steps shown in FIG. 6 are merely examples for illustration, and steps may be included or excluded as desired. Further, while a particular order of the steps is shown, this ordering is merely illustrative, and any suitable arrangement of the steps may be utilized without departing from the scope of the embodiments described herein.
  • FIG. 7 illustrates an example procedure 700 for endpoint privacy preservation with cloud conferencing according to one or more embodiments of the present disclosure. The steps outlined herein are exemplary and can be implemented in any combination thereof, including combinations that exclude, add, or modify steps shown in FIG. 7. At step 702, a first request can be received from a first endpoint to access a cloud-based conference platform. If the first endpoint is authorized access to the cloud-based conference platform, procedure 700 can continue to step 704. In step 704, in response to the first request, a first access token can be provided to the first endpoint. Based at least on the first request, a first certificate can be provided to the first endpoint, wherein the first certificate does not include an identity of the first endpoint. Procedure 700 continues at step 706 wherein a second request may be received from a second endpoint to access the cloud-based conference platform. If the second endpoint is authorized access to the cloud-based conference platform, procedure 700 can continue to step 708. In step 708, in response to the second request, a second access token can be provided to the second endpoint and based at least on the second request, a second certificate may be provided to the second endpoint, wherein the second certificate does not include an identity of the second endpoint. The first endpoint and the second endpoint may communicate with each other in the cloud-based conference platform using at least the MDD. Endpoints can authenticate to the MDD using short-term certificates provided by the Enterprise Identity provider.
  • Procedure 700 may continue to step 710 wherein a listing of endpoints authorized to access the cloud-based conference platform can be received. In step 712, a request for an identity of an endpoint of the listing of endpoints authorized to access the cloud-based conference platform can be received. If the requesting endpoint is authorized to receive the requested identity, procedure 700 may continue to step 714 wherein the identity of the requested endpoint is provided to the requesting endpoint.
  • It should be noted that while certain steps within procedure 700 may be optional as described above, the steps shown in FIG. 7 are merely examples for illustration, and steps may be included or excluded as desired. Further, while a particular order of the steps is shown, this ordering is merely illustrative, and any suitable arrangement of the steps may be utilized without departing from the scope of the embodiments described herein.
  • FIG. 8 illustrates an example system architecture of some embodiments of the present technology. Persons of ordinary skill in the art will also readily appreciate that other system embodiments are possible.
  • FIG. 8 illustrates a conventional bus computing system architecture 800 wherein the components of the system are in electrical communication with each other using a bus 805. Exemplary system 800 includes a processing unit (CPU or processor) 810 and a system bus 805 that couples various system components including the system memory 815, such as read only memory (ROM) 820 and random access memory (RAM) 825, to the processor 810. The system 800 can include a cache of high-speed memory connected directly with, in close proximity to, or integrated as part of the processor 810. The system 800 can copy data from the memory 815 and/or the storage device 830 to the cache 812 for quick access by the processor 810. In this way, the cache can provide a performance boost that avoids processor 810 delays while waiting for data. These and other modules can control or be configured to control the processor 810 to perform various actions. Other system memory 815 may be available for use as well. The memory 815 can include multiple different types of memory with different performance characteristics. The processor 810 can include any general purpose processor and a hardware module or software module, such as module 1 832, module 2 834, and module 3 836 stored in storage device 830, configured to control the processor 810 as well as a special-purpose processor where software instructions are incorporated into the actual processor design. The processor 810 may essentially be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc. A multi-core processor may be symmetric or asymmetric.
  • To enable user interaction with the computing system architecture 800, an input device 845 can represent any number of input mechanisms, such as a microphone for speech, a touch-sensitive screen for gesture or graphical input, keyboard, mouse, motion input, speech and so forth. An output device 835 can also be one or more of a number of output mechanisms known to those of skill in the art. In some instances, multimodal systems can enable a user to provide multiple types of input to communicate with the computing device 800. The communications interface 840 can generally govern and manage the user input and system output. There is no restriction on operating on any particular hardware arrangement and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed.
  • Storage device 830 can be a non-volatile memory and can be a hard disk or other types of computer readable media which can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs) 825, read only memory (ROM) 820, and hybrids thereof.
  • The storage device 830 can include software modules 832, 834, 836 for controlling the processor 810. Other hardware or software modules are contemplated. The storage device 830 can be connected to the system bus 805. In one aspect, a hardware module that performs a particular function can include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as the processor 810, bus 805, display 835, and so forth, to carry out the function.
  • It can be appreciated that example system 800 can have more than one processor 810 or be part of a group or cluster of computing devices networked together to provide greater processing capability.
  • For clarity of explanation, in some instances the present technology may be presented as including individual functional blocks including functional blocks comprising devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software.
  • In some embodiments the computer-readable storage devices, media, and memories can include a cable or wireless signal containing a bit stream and the like. However, when mentioned, non-transitory computer-readable storage media exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.
  • Methods according to the above-described examples can be implemented using computer-executable instructions that are stored or otherwise available from computer readable media. Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.
  • Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, small form factor personal computers, personal digital assistants, rack mount devices, standalone devices, and so on. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.
  • The instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.
  • Although a variety of examples and other information was used to explain aspects within the scope of the appended claims, no limitation of the claims should be implied based on particular features or arrangements in such examples, as one of ordinary skill would be able to use these examples to derive a wide variety of implementations. Further and although some subject matter may have been described in language specific to examples of structural features and/or method steps, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to these described features or acts. For example, such functionality can be distributed differently or performed in components other than those identified herein. Rather, the described features and steps are disclosed as examples of components of systems and methods within the scope of the appended claims. Moreover, claim language reciting “at least one of” a set indicates that one member of the set or multiple members of the set satisfy the claim. Further, features described with reference to an embodiment disclosed herein can be combined with, or implemented in, any other embodiments disclosed herein.
  • The techniques disclosed herein can provide increased privacy among endpoints communicating via a cloud-based network which may result in more efficient network packet processing as fewer data may be required for network packet transmissions, which may result in fewer processor cycles required to route signals and thus improved efficiency of the network processors used to implement some embodiments of the present technology.
  • While there have been shown and described illustrative embodiments of the present technology, it is to be understood that various other adaptations and modifications may be made within the spirit and scope of the embodiments herein. For example, the embodiments have been shown and described herein with relation to a particular communication system. However, the embodiments in their broader sense are not as limited, and may, in fact, be used with any number of communication systems.
  • Further, although the foregoing description has been directed to specific embodiments, it will be apparent that other variations and modifications may be made to the described embodiments, with the attainment of some or all of their advantages. For instance, it is expressly contemplated that the components and/or elements described herein can be implemented as software being stored on a tangible (non-transitory) computer-readable medium, devices, and memories (e.g., disks/CDs/RAM/EEPROM/ etc.) having program instructions executing on a computer, hardware, firmware, or a combination thereof. Further, methods describing the various functions and techniques described herein can be implemented using computer-executable instructions that are stored or otherwise available from computer readable media. Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code.
  • Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include cloud-based media, magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and the like. In addition, devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, tablets, wearable devices, small form factor personal computers, personal digital assistants, and the like. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example. Instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures. Accordingly this description is to be taken only by way of example and not to otherwise limit the scope of the embodiments herein. Therefore, it is the object of the appended claims to cover all such variations and modifications as come within the true spirit and scope of the embodiments herein.

Claims (20)

What is claimed is:
1. A non-transitory computer-readable medium including instructions stored thereon, the instructions, when executed by a processor, operable to:
receive a first request from a first endpoint to access a cloud-based conference platform, wherein the first request includes a first access token;
based at least on the first request, provide a first certificate to the first endpoint, wherein the first certificate does not include an identity of the first endpoint;
receive a second request from a second endpoint to access the cloud-based conference platform, wherein the second request includes a second access token;
based at least on the second request, provide a second certificate to the second endpoint, wherein the second certificate does not include an identity of the second endpoint; and
route data within the cloud-based conference platform between the first endpoint and second endpoint based at least on the first certificate and the second certificate.
2. The non-transitory computer-readable medium of claim 1, wherein access tokens provide at least one of temporary access or one-time access to the cloud-based conference platform.
3. The non-transitory computer-readable medium of claim 1, wherein access tokens are provided by an identity provider hosted by an enterprise network associated with the first endpoint.
4. The non-transitory computer-readable medium of claim 1, wherein access tokens are provided by an identity provider hosted by a separate network from the first endpoint and the second endpoint.
5. The non-transitory computer-readable medium of claim 4, wherein the first endpoint provides a listing of endpoints to the identity provider that lists endpoints authorized to receive the identity of the first endpoint, wherein the listing of endpoints includes at least the second endpoint, wherein an identity provider proxy generates and validates identity assertions of endpoints requesting the identity of the first endpoint.
6. The non-transitory computer-readable medium of claim 5, wherein the identity provider provides the identity of the first endpoint to the second endpoint upon request by the second endpoint, wherein the identity provider does not provide the identity of the first endpoint to an endpoint not listed in the listing of endpoints authorized to receive the identity of the first endpoint.
7. A non-transitory computer-readable medium including instructions stored thereon, the instructions, when executed by a processor, operable to:
receive a first request from a first endpoint to access a cloud-based conference platform;
in response to the first request, provide a first access token to the first endpoint;
based at least on the first request, provide a first certificate to the first endpoint, wherein the first certificate does not include an identity of the first endpoint;
receive a second request from a second endpoint to access the cloud-based conference platform;
in response to the second request, provide a second access token to the second endpoint;
based at least on the second request, provide a second certificate to the second endpoint, wherein the second certificate does not include an identity of the second endpoint; and
wherein the first endpoint and the second endpoint communicate with each other in the cloud-based conference platform using at least the first certificate and the second certificate.
8. The non-transitory computer-readable medium of claim 7, the instructions further operable to:
receive a listing of endpoints authorized to access the cloud-based conference platform;
receive a request for an identity of an endpoint of the listing of endpoints authorized to access the cloud-based conference platform; and
based at least upon the listing of endpoints authorized to access the cloud-based conference platform, provide the identity of the endpoint.
9. The non-transitory computer-readable medium of claim 8, the instructions further operable to:
receive a request from the second endpoint for the identity of the first endpoint; and
based at least upon the listing of endpoints authorized to access the cloud-based conference platform, provide the identity of the first endpoint to the second endpoint.
10. The non-transitory computer-readable medium of claim 7, wherein access tokens provide at least one of temporary access or one-time access to the cloud-based conference platform.
11. The non-transitory computer-readable medium of claim 7, wherein access tokens are provided by an identity provider hosted by an enterprise network associated with the first endpoint.
12. The non-transitory computer-readable medium of claim 7, wherein access tokens are provided by an identity provider hosted by a separate network from the first endpoint and the second endpoint.
13. A system, comprising:
one or more processors;
an identity provider proxy; and
a memory configured to store a process, the process, when executed by the one or more processors, being operable to:
receive a first request from a first endpoint of a first network to access a cloud-based conference platform in a cloud network, wherein the first request includes a first access token;
based at least on the first request, provide a first certificate to the first endpoint, wherein the first certificate does not include an identity of the first endpoint;
receive a second request from a second endpoint of a second network to access the cloud-based conference platform in the cloud network, wherein the second request includes a second access token;
based at least on the second request, provide a second certificate to the second endpoint, wherein the second certificate does not include an identity of the second endpoint; and
route data within the cloud-based conference platform of the cloud network between the first endpoint and second endpoint based at least on the first certificate and the second certificate.
14. The system of claim 13, wherein access tokens provide at least one of temporary access or one-time access to the cloud-based conference platform of the cloud network.
15. The system of claim 13, wherein access tokens are provided by an identity provider hosted by a third network.
16. The system of claim 15, wherein the first endpoint provides a listing of endpoints to the identity provider that lists endpoints authorized to receive the identity of the first endpoint, wherein the listing of endpoints includes at least the second endpoint, wherein the identity provider proxy generates and validates identity assertions of endpoints requesting the identity of the first endpoint.
17. The system of claim 16, wherein the identity provider provides the identity of the first endpoint to the second endpoint upon request by the second endpoint, wherein the identity provider does not provide the identity of the first endpoint to an endpoint not listed in the listing of endpoints authorized to receive the identity of the first endpoint.
18. A method, comprising:
receiving a first request from a first endpoint to access a cloud-based conference platform, wherein the first request includes a first access token;
based at least on the first request, providing a first certificate to the first endpoint, wherein the first certificate does not include an identity of the first endpoint;
receiving a second request from a second endpoint to access the cloud-based conference platform, wherein the second request includes a second access token;
based at least on the second request, providing a second certificate to the second endpoint, wherein the second certificate does not include an identity of the second endpoint; and
routing data within the cloud-based conference platform between the first endpoint and second endpoint based at least on the first certificate and the second certificate.
19. The method of claim 18, wherein access tokens are provided by an identity provider hosted by an enterprise network associated with the first endpoint.
20. The method of claim 18, wherein access tokens are provided by an identity provider hosted by a separate network from the first endpoint and the second endpoint.
US14/942,898 2015-11-16 2015-11-16 Endpoint privacy preservation with cloud conferencing Active 2036-01-29 US10523657B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/942,898 US10523657B2 (en) 2015-11-16 2015-11-16 Endpoint privacy preservation with cloud conferencing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US14/942,898 US10523657B2 (en) 2015-11-16 2015-11-16 Endpoint privacy preservation with cloud conferencing

Publications (2)

Publication Number Publication Date
US20170142096A1 true US20170142096A1 (en) 2017-05-18
US10523657B2 US10523657B2 (en) 2019-12-31

Family

ID=58691584

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/942,898 Active 2036-01-29 US10523657B2 (en) 2015-11-16 2015-11-16 Endpoint privacy preservation with cloud conferencing

Country Status (1)

Country Link
US (1) US10523657B2 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170171248A1 (en) * 2015-12-14 2017-06-15 International Business Machines Corporation Method and Apparatus for Data Protection in Cloud-Based Matching System
US10348784B2 (en) * 2017-02-15 2019-07-09 Microsoft Technology Licensing, Llc Conferencing server directly accessible from public internet
WO2020174121A1 (en) * 2019-02-28 2020-09-03 Nokia Technologies Oy Inter-mobile network communication authorization
US11075892B2 (en) * 2019-03-21 2021-07-27 ColorTokens, Inc. Fully cloaked network communication model for remediation of traffic analysis based network attacks
CN114827134A (en) * 2022-07-01 2022-07-29 深圳乐播科技有限公司 Differentiated pushing method, related device and display method for cloud conference desktop
US20220247730A1 (en) * 2021-01-29 2022-08-04 Apple Inc. Electronic conferencing
US20220329574A1 (en) * 2021-01-29 2022-10-13 Zoom Video Communications, Inc. Locking encrypted video conferences
WO2023129730A1 (en) * 2021-12-30 2023-07-06 TruU, Inc. Remotely accessing an endpoint device using a distributed systems architecture
EP4224789A1 (en) * 2022-02-07 2023-08-09 Abb Schweiz Ag Access control enforcement architectures for dynamic manufacturing systems

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6298153B1 (en) * 1998-01-16 2001-10-02 Canon Kabushiki Kaisha Digital signature method and information communication system and apparatus using such method
US20070242830A1 (en) * 2004-06-25 2007-10-18 Koninklijke Philips Electronics, N.V. Anonymous Certificates with Anonymous Certificate Show
US20090083183A1 (en) * 2007-09-21 2009-03-26 Microsoft Corporation Distributed secure anonymous conferencing
US20090265753A1 (en) * 2008-04-16 2009-10-22 Sun Microsystems, Inc. Using opaque groups in a federated identity management environment
US20100131765A1 (en) * 2008-11-26 2010-05-27 Microsoft Corporation Anonymous verifiable public key certificates
US20100325441A1 (en) * 2009-06-23 2010-12-23 Bennet Laurie Privacy-preserving flexible anonymous-pseudonymous access
US20110213966A1 (en) * 2010-02-26 2011-09-01 Christina Fu Automatically generating a certificate operation request
US20130162753A1 (en) * 2011-12-22 2013-06-27 Verizon Patent And Licensing, Inc. Multi-enterprise video conference service
US20140141720A1 (en) * 2012-11-21 2014-05-22 Acer Incorporated Cloud Service for making Social Connections
US9628471B1 (en) * 2011-05-03 2017-04-18 Symantec Corporation Protecting user identity at a cloud using a distributed user identity system

Family Cites Families (403)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5889896A (en) 1994-02-09 1999-03-30 Meshinsky; John System for performing multiple processes on images of scanned documents
US5812773A (en) 1996-07-12 1998-09-22 Microsoft Corporation System and method for the distribution of hierarchically structured data
US6108782A (en) 1996-12-13 2000-08-22 3Com Corporation Distributed remote monitoring (dRMON) for networks
US6091705A (en) 1996-12-20 2000-07-18 Sebring Systems, Inc. Method and apparatus for a fault tolerant, software transparent and high data integrity extension to a backplane bus or interconnect
US6178453B1 (en) 1997-02-18 2001-01-23 Netspeak Corporation Virtual circuit switching architecture
US6735631B1 (en) 1998-02-10 2004-05-11 Sprint Communications Company, L.P. Method and system for networking redirecting
US20020004900A1 (en) * 1998-09-04 2002-01-10 Baiju V. Patel Method for secure anonymous communication
US6643260B1 (en) 1998-12-18 2003-11-04 Cisco Technology, Inc. Method and apparatus for implementing a quality of service policy in a data communications network
US20040095237A1 (en) 1999-01-09 2004-05-20 Chen Kimball C. Electronic message delivery system utilizable in the monitoring and control of remote equipment and method of same
ATE277378T1 (en) 1999-10-25 2004-10-15 Texas Instruments Inc INTELLIGENT POWER CONTROL IN DISTRIBUTED PROCESSING SYSTEMS
US6707794B1 (en) 1999-11-15 2004-03-16 Networks Associates Technology, Inc. Method, system and computer program product for physical link layer handshake protocol analysis
US6343290B1 (en) 1999-12-22 2002-01-29 Celeritas Technologies, L.L.C. Geographic network management system
US6683873B1 (en) 1999-12-27 2004-01-27 Cisco Technology, Inc. Methods and apparatus for redirecting network traffic
JP4162347B2 (en) 2000-01-31 2008-10-08 富士通株式会社 Network system
US7058706B1 (en) 2000-03-31 2006-06-06 Akamai Technologies, Inc. Method and apparatus for determining latency between multiple servers and a client
US6721804B1 (en) 2000-04-07 2004-04-13 Danger, Inc. Portal system for converting requested data into a bytecode format based on portal device's graphical capabilities
US20030228585A1 (en) 2000-06-01 2003-12-11 Hidetoshi Inoko Kit and method for determining hla type
US7917647B2 (en) 2000-06-16 2011-03-29 Mcafee, Inc. Method and apparatus for rate limiting
US7062571B1 (en) 2000-06-30 2006-06-13 Cisco Technology, Inc. Efficient IP load-balancing traffic distribution using ternary CAMs
US7051078B1 (en) 2000-07-10 2006-05-23 Cisco Technology, Inc. Hierarchical associative memory-based classification system
AU2001288463A1 (en) 2000-08-30 2002-03-13 Citibank, N.A. Method and system for internet hosting and security
US7596784B2 (en) 2000-09-12 2009-09-29 Symantec Operating Corporation Method system and apparatus for providing pay-per-use distributed computing resources
US6996615B1 (en) 2000-09-29 2006-02-07 Cisco Technology, Inc. Highly scalable least connections load balancing
US7054930B1 (en) 2000-10-26 2006-05-30 Cisco Technology, Inc. System and method for propagating filters
US20020143928A1 (en) 2000-12-07 2002-10-03 Maltz David A. Method and system for collection and storage of traffic data in a computer network
US7065482B2 (en) 2001-05-17 2006-06-20 International Business Machines Corporation Internet traffic analysis tool
US7002965B1 (en) 2001-05-21 2006-02-21 Cisco Technology, Inc. Method and apparatus for using ternary and binary content-addressable memory stages to classify packets
EP1410210A4 (en) 2001-06-11 2005-12-14 Bluefire Security Technology I Packet filtering system and methods
US7212490B1 (en) 2001-07-06 2007-05-01 Cisco Technology, Inc. Dynamic load balancing for dual ring topology networks
US7028098B2 (en) 2001-07-20 2006-04-11 Nokia, Inc. Selective routing of data flows using a TCAM
JP2003345612A (en) 2002-05-28 2003-12-05 Sony Corp Arithmetic processing system, task control method on computer system, and computer program
US8103755B2 (en) 2002-07-02 2012-01-24 Arbor Networks, Inc. Apparatus and method for managing a provider network
US7313667B1 (en) 2002-08-05 2007-12-25 Cisco Technology, Inc. Methods and apparatus for mapping fields of entries into new values and combining these mapped values into mapped entries for use in lookup operations such as for packet processing
US20040131059A1 (en) 2002-09-19 2004-07-08 Ram Ayyakad Single-pass packet scan
US7076397B2 (en) 2002-10-17 2006-07-11 Bmc Software, Inc. System and method for statistical performance monitoring
US7536476B1 (en) 2002-12-20 2009-05-19 Cisco Technology, Inc. Method for performing tree based ACL lookups
US6733449B1 (en) 2003-03-20 2004-05-11 Siemens Medical Solutions Usa, Inc. System and method for real-time streaming of ultrasound data to a diagnostic medical ultrasound streaming application
US7567504B2 (en) 2003-06-30 2009-07-28 Microsoft Corporation Network load balancing with traffic routing
US20050060418A1 (en) 2003-09-17 2005-03-17 Gennady Sorokopud Packet classification
US7474653B2 (en) 2003-12-05 2009-01-06 Hewlett-Packard Development Company, L.P. Decision cache using multi-key lookup
US7496661B1 (en) 2004-03-29 2009-02-24 Packeteer, Inc. Adaptive, application-aware selection of differentiated network services
US7379846B1 (en) 2004-06-29 2008-05-27 Sun Microsystems, Inc. System and method for automated problem diagnosis
US7684322B2 (en) 2004-07-01 2010-03-23 Nortel Networks Limited Flow admission control in an IP network
US20060059558A1 (en) 2004-09-15 2006-03-16 John Selep Proactive containment of network security attacks
US7881957B1 (en) 2004-11-16 2011-02-01 Amazon Technologies, Inc. Identifying tasks for task performers based on task subscriptions
WO2006058065A2 (en) 2004-11-23 2006-06-01 Nighthawk Radiology Services Methods and systems for providing data across a network
US7711158B2 (en) 2004-12-04 2010-05-04 Electronics And Telecommunications Research Institute Method and apparatus for classifying fingerprint image quality, and fingerprint image recognition system using the same
US7548562B2 (en) 2004-12-14 2009-06-16 Agilent Technologies, Inc. High speed acquisition system that allows capture from a packet network and streams the data to a storage medium
US20060146825A1 (en) 2004-12-30 2006-07-06 Padcom, Inc. Network based quality of service
US7808897B1 (en) 2005-03-01 2010-10-05 International Business Machines Corporation Fast network security utilizing intrusion prevention systems
EP2360588B1 (en) 2005-03-16 2017-10-04 III Holdings 12, LLC Automatic workload transfer to an on-demand center
US20110016214A1 (en) 2009-07-15 2011-01-20 Cluster Resources, Inc. System and method of brokering cloud computing resources
US9015324B2 (en) 2005-03-16 2015-04-21 Adaptive Computing Enterprises, Inc. System and method of brokering cloud computing resources
US7480672B2 (en) 2005-03-31 2009-01-20 Sap Ag Multiple log queues in a database management system
US7606147B2 (en) 2005-04-13 2009-10-20 Zeugma Systems Inc. Application aware traffic shaping service node positioned between the access and core networks
US9065727B1 (en) 2012-08-31 2015-06-23 Google Inc. Device identifier similarity models derived from online event signals
US7464303B2 (en) 2005-06-09 2008-12-09 International Business Machines Corporation Autonomically adjusting configuration parameters for a server when a different server fails
US7716335B2 (en) 2005-06-27 2010-05-11 Oracle America, Inc. System and method for automated workload characterization of an application server
US7607043B2 (en) 2006-01-04 2009-10-20 International Business Machines Corporation Analysis of mutually exclusive conflicts among redundant devices
US7613955B2 (en) 2006-01-06 2009-11-03 Microsoft Corporation Collecting debug data from a wireless device
US8028071B1 (en) 2006-02-15 2011-09-27 Vmware, Inc. TCP/IP offload engine virtualization system and methods
US8040895B2 (en) 2006-03-22 2011-10-18 Cisco Technology, Inc. Method and system for removing dead access control entries (ACEs)
US7778183B2 (en) 2006-03-31 2010-08-17 International Business Machines Corporation Data replica selector
WO2007134305A2 (en) 2006-05-12 2007-11-22 Convenous, Llc Apparatus, system, method and computer program product for collaboration via one or more networks
US7761596B2 (en) 2006-06-30 2010-07-20 Telefonaktiebolaget L M Ericsson (Publ) Router and method for server load balancing
US8533687B1 (en) 2009-11-30 2013-09-10 dynaTrade Software GmbH Methods and system for global real-time transaction tracing
US8194664B2 (en) 2006-10-10 2012-06-05 Cisco Technology, Inc. Two-level load-balancing of network traffic over an MPLS network
JP4333736B2 (en) 2006-12-19 2009-09-16 村田機械株式会社 Relay server and client terminal
US7653063B2 (en) 2007-01-05 2010-01-26 Cisco Technology, Inc. Source address binding check
US8103773B2 (en) 2007-01-19 2012-01-24 Cisco Technology, Inc. Transactional application processing in a distributed environment
WO2008112048A1 (en) * 2007-02-02 2008-09-18 Tecordia Technologies, Inc. Method and system to authorize and assign digital certificates without loss of privacy
US20080201455A1 (en) 2007-02-15 2008-08-21 Husain Syed M Amir Moving Execution of a Virtual Machine Across Different Virtualization Platforms
US8406141B1 (en) 2007-03-12 2013-03-26 Cybertap, Llc Network search methods and systems
US7853998B2 (en) 2007-03-22 2010-12-14 Mocana Corporation Firewall propagation
US7773510B2 (en) 2007-05-25 2010-08-10 Zeugma Systems Inc. Application routing in a distributed compute environment
US9678803B2 (en) 2007-06-22 2017-06-13 Red Hat, Inc. Migration of network entities to a cloud infrastructure
US9495152B2 (en) 2007-06-22 2016-11-15 Red Hat, Inc. Automatic baselining of business application service groups comprised of virtual machines
US8301740B2 (en) 2007-06-27 2012-10-30 Ca, Inc. Autonomic control of a distributed computing system using dynamically assembled resource chains
US20090010277A1 (en) 2007-07-03 2009-01-08 Eran Halbraich Method and system for selecting a recording route in a multi-media recording environment
US8205208B2 (en) 2007-07-24 2012-06-19 Internaitonal Business Machines Corporation Scheduling grid jobs using dynamic grid scheduling policy
US8284664B1 (en) 2007-09-28 2012-10-09 Juniper Networks, Inc. Redirecting data units to service modules based on service tags and a redirection table
US8121117B1 (en) 2007-10-01 2012-02-21 F5 Networks, Inc. Application layer network traffic prioritization
US8862765B2 (en) 2007-10-18 2014-10-14 Arris Solutions, Inc. Fair bandwidth redistribution algorithm
US8583797B2 (en) 2008-01-07 2013-11-12 Ca, Inc. Interdependent capacity levels of resources in a distributed computing system
US20090178058A1 (en) 2008-01-09 2009-07-09 Microsoft Corporation Application Aware Networking
CN101521569B (en) * 2008-02-28 2013-04-24 华为技术有限公司 Method, equipment and system for realizing service access
US8935692B2 (en) 2008-05-22 2015-01-13 Red Hat, Inc. Self-management of virtual machines in cloud-based networks
US8943497B2 (en) 2008-05-29 2015-01-27 Red Hat, Inc. Managing subscriptions for cloud-based virtual machines
US8171415B2 (en) 2008-06-11 2012-05-01 International Business Machines Corporation Outage management portal leveraging back-end resources to create a role and user tailored front-end interface for coordinating outage responses
US8429675B1 (en) 2008-06-13 2013-04-23 Netapp, Inc. Virtual machine communication
EP2316071A4 (en) 2008-06-19 2011-08-17 Servicemesh Inc Cloud computing gateway, cloud computing hypervisor, and methods for implementing same
US9069599B2 (en) 2008-06-19 2015-06-30 Servicemesh, Inc. System and method for a cloud computing abstraction layer with security zone facilities
US8175103B2 (en) 2008-06-26 2012-05-08 Rockstar Bidco, LP Dynamic networking of virtual machines
US8479192B2 (en) 2008-06-27 2013-07-02 Xerox Corporation Dynamic XPS filter
US8250215B2 (en) 2008-08-12 2012-08-21 Sap Ag Method and system for intelligently leveraging cloud computing resources
US8706878B1 (en) 2008-08-21 2014-04-22 United Services Automobile Association Preferential loading in data centers
WO2010062435A1 (en) 2008-09-04 2010-06-03 Telcordia Technologies, Inc. Computing diagnostic explanations of network faults from monitoring data
US8238256B2 (en) 2008-09-08 2012-08-07 Nugent Raymond M System and method for cloud computing
US8041714B2 (en) 2008-09-15 2011-10-18 Palantir Technologies, Inc. Filter chains with associated views for exploring large data sets
CN101394360B (en) 2008-11-10 2011-07-20 北京星网锐捷网络技术有限公司 Processing method, access device and communication system for address resolution protocol
EP2211508A1 (en) 2009-01-22 2010-07-28 IBBT vzw Method and device for characterising a data flow in a network for transferring media data
US8566362B2 (en) 2009-01-23 2013-10-22 Nasuni Corporation Method and system for versioned file system using structured data representations
US20120005724A1 (en) 2009-02-09 2012-01-05 Imera Systems, Inc. Method and system for protecting private enterprise resources in a cloud computing environment
US8510735B2 (en) 2009-02-11 2013-08-13 International Business Machines Corporation Runtime environment for virtualizing information technology appliances
US8341427B2 (en) 2009-02-16 2012-12-25 Microsoft Corporation Trusted cloud computing and services framework
US8432919B2 (en) 2009-02-25 2013-04-30 Cisco Technology, Inc. Data stream classification
US9473555B2 (en) 2012-12-31 2016-10-18 The Nielsen Company (Us), Llc Apparatus, system and methods for portable device tracking using temporary privileged access
EP2228719A1 (en) 2009-03-11 2010-09-15 Zimory GmbH Method of executing a virtual machine, computing system and computer program
US8271615B2 (en) 2009-03-31 2012-09-18 Cloud Connex, Llc Centrally managing and monitoring software as a service (SaaS) applications
US8560639B2 (en) 2009-04-24 2013-10-15 Microsoft Corporation Dynamic placement of replica data
US8516106B2 (en) 2009-05-18 2013-08-20 International Business Machines Corporation Use tag clouds to visualize components related to an event
TW201112006A (en) 2009-05-29 2011-04-01 Ibm Computer system, method and program product
US8639787B2 (en) 2009-06-01 2014-01-28 Oracle International Corporation System and method for creating or reconfiguring a virtual server image for cloud deployment
JP5400482B2 (en) 2009-06-04 2014-01-29 株式会社日立製作所 Management computer, resource management method, resource management program, recording medium, and information processing system
US8284776B2 (en) 2009-06-10 2012-10-09 Broadcom Corporation Recursive packet header processing
US20100318609A1 (en) 2009-06-15 2010-12-16 Microsoft Corporation Bridging enterprise networks into cloud
EP2267983B1 (en) 2009-06-22 2018-08-08 Citrix Systems, Inc. System and method for providing link management in a multi-core system
KR101626117B1 (en) 2009-06-22 2016-05-31 삼성전자주식회사 Client, brokerage sever and method for providing cloud storage
US8244559B2 (en) 2009-06-26 2012-08-14 Microsoft Corporation Cloud computing resource broker
US20100333116A1 (en) 2009-06-30 2010-12-30 Anand Prahlad Cloud gateway system for managing data storage to cloud storage sites
US8234377B2 (en) 2009-07-22 2012-07-31 Amazon Technologies, Inc. Dynamically migrating computer networks
US8966475B2 (en) 2009-08-10 2015-02-24 Novell, Inc. Workload management for heterogeneous hosts in a computing system environment
US8510469B2 (en) 2009-08-31 2013-08-13 Cisco Technology, Inc. Measuring attributes of client-server applications
US8862720B2 (en) 2009-08-31 2014-10-14 Red Hat, Inc. Flexible cloud management including external clouds
US8271653B2 (en) 2009-08-31 2012-09-18 Red Hat, Inc. Methods and systems for cloud management using multiple cloud management schemes to allow communication between independently controlled clouds
US20110072489A1 (en) 2009-09-23 2011-03-24 Gilad Parann-Nissany Methods, devices, and media for securely utilizing a non-secured, distributed, virtualized network resource with applications to cloud-computing security and management
US8532108B2 (en) 2009-09-30 2013-09-10 Alcatel Lucent Layer 2 seamless site extension of enterprises in cloud computing
JP2011076292A (en) 2009-09-30 2011-04-14 Hitachi Ltd Method for designing failure cause analysis rule in accordance with available device information, and computer
US8880682B2 (en) 2009-10-06 2014-11-04 Emc Corporation Integrated forensics platform for analyzing IT resources consumed to derive operational and architectural recommendations
US20110110382A1 (en) 2009-11-10 2011-05-12 Cisco Technology, Inc., A Corporation Of California Distribution of Packets Among PortChannel Groups of PortChannel Links
US8611356B2 (en) 2009-11-13 2013-12-17 Exalt Communications Incorporated Apparatus for ethernet traffic aggregation of radio links
US20110126197A1 (en) 2009-11-25 2011-05-26 Novell, Inc. System and method for controlling cloud and virtualized data centers in an intelligent workload management system
CN101719930A (en) 2009-11-27 2010-06-02 南京邮电大学 Cloud money-based hierarchical cloud computing system excitation method
GB2475897A (en) 2009-12-04 2011-06-08 Creme Software Ltd Resource allocation using estimated time to complete jobs in a grid or cloud computing environment
US8037187B2 (en) 2009-12-11 2011-10-11 International Business Machines Corporation Resource exchange management within a cloud computing environment
US20130117337A1 (en) 2009-12-23 2013-05-09 Gary M. Dunham Locally Connected Cloud Storage Device
US9959147B2 (en) 2010-01-13 2018-05-01 Vmware, Inc. Cluster configuration through host ranking
US9883008B2 (en) 2010-01-15 2018-01-30 Endurance International Group, Inc. Virtualization of multiple distinct website hosting architectures
WO2011091056A1 (en) 2010-01-19 2011-07-28 Servicemesh, Inc. System and method for a cloud computing abstraction layer
US8301746B2 (en) 2010-01-26 2012-10-30 International Business Machines Corporation Method and system for abstracting non-functional requirements based deployment of virtual machines
US8797866B2 (en) 2010-02-12 2014-08-05 Cisco Technology, Inc. Automatic adjusting of reputation thresholds in order to change the processing of certain packets
US20110213687A1 (en) 2010-02-26 2011-09-01 James Michael Ferris Systems and methods for or a usage manager for cross-cloud appliances
US9129086B2 (en) 2010-03-04 2015-09-08 International Business Machines Corporation Providing security services within a cloud computing environment
US20110239039A1 (en) 2010-03-26 2011-09-29 Dieffenbach Devon C Cloud computing enabled robust initialization and recovery of it services
US20110252327A1 (en) 2010-03-26 2011-10-13 Actiance, Inc. Methods, systems, and user interfaces for graphical summaries of network activities
US8886806B2 (en) 2010-04-07 2014-11-11 Accenture Global Services Limited Generic control layer in a cloud environment
US8243598B2 (en) 2010-04-26 2012-08-14 International Business Machines Corporation Load-balancing via modulus distribution and TCP flow redirection due to server overload
US8345692B2 (en) 2010-04-27 2013-01-01 Cisco Technology, Inc. Virtual switching overlay for cloud computing
US8547974B1 (en) 2010-05-05 2013-10-01 Mu Dynamics Generating communication protocol test cases based on network traffic
US8719804B2 (en) 2010-05-05 2014-05-06 Microsoft Corporation Managing runtime execution of applications on cloud computing systems
US8688792B2 (en) 2010-05-06 2014-04-01 Nec Laboratories America, Inc. Methods and systems for discovering configuration data
US8910278B2 (en) 2010-05-18 2014-12-09 Cloudnexa Managing services in a cloud computing environment
CN102255933B (en) 2010-05-20 2016-03-30 中兴通讯股份有限公司 Cloud service intermediary, cloud computing method and cloud system
US8954564B2 (en) 2010-05-28 2015-02-10 Red Hat, Inc. Cross-cloud vendor mapping service in cloud marketplace
US8477610B2 (en) 2010-05-31 2013-07-02 Microsoft Corporation Applying policies to schedule network bandwidth among virtual machines
US8909928B2 (en) 2010-06-02 2014-12-09 Vmware, Inc. Securing customer virtual machines in a multi-tenant cloud
US8705395B2 (en) 2010-06-15 2014-04-22 Jds Uniphase Corporation Method for time aware inline remote mirroring
US8352415B2 (en) 2010-06-15 2013-01-08 International Business Machines Corporation Converting images in virtual environments
US8135979B2 (en) 2010-06-24 2012-03-13 Hewlett-Packard Development Company, L.P. Collecting network-level packets into a data structure in response to an abnormal condition
US9201701B2 (en) 2010-07-16 2015-12-01 Nokia Technologies Oy Method and apparatus for distributing computation closures
US8843832B2 (en) 2010-07-23 2014-09-23 Reh Hat, Inc. Architecture, system and method for a real-time collaboration interface
TWM394537U (en) 2010-08-17 2010-12-11 Chunghwa Telecom Co Ltd A system for providing web cloud integrated services
US8473557B2 (en) 2010-08-24 2013-06-25 At&T Intellectual Property I, L.P. Methods and apparatus to migrate virtual machines between distributive computing networks across a wide area network
US8656023B1 (en) 2010-08-26 2014-02-18 Adobe Systems Incorporated Optimization scheduler for deploying applications on a cloud
US9311158B2 (en) 2010-09-03 2016-04-12 Adobe Systems Incorporated Determining a work distribution model between a client device and a cloud for an application deployed on the cloud
US8539597B2 (en) 2010-09-16 2013-09-17 International Business Machines Corporation Securing sensitive data for cloud computing
US8572241B2 (en) 2010-09-17 2013-10-29 Microsoft Corporation Integrating external and cluster heat map data
US8413145B2 (en) 2010-09-30 2013-04-02 Avaya Inc. Method and apparatus for efficient memory replication for high availability (HA) protection of a virtual machine (VM)
WO2012042509A1 (en) 2010-10-01 2012-04-05 Peter Chacko A distributed virtual storage cloud architecture and a method thereof
US9110727B2 (en) 2010-10-05 2015-08-18 Unisys Corporation Automatic replication of virtual machines
EP2439637A1 (en) 2010-10-07 2012-04-11 Deutsche Telekom AG Method and system of providing access to a virtual machine distributed in a hybrid cloud network
US8797867B1 (en) 2010-10-18 2014-08-05 Juniper Networks, Inc. Generating and enforcing a holistic quality of service policy in a network
CN102457583B (en) 2010-10-19 2014-09-10 中兴通讯股份有限公司 Realization method of mobility of virtual machine and system thereof
US8909744B2 (en) 2010-10-20 2014-12-09 Hcl Technologies Limited System and method for transitioning to cloud computing environment
US9075661B2 (en) 2010-10-20 2015-07-07 Microsoft Technology Licensing, Llc Placing objects on hosts using hard and soft constraints
US8407413B1 (en) 2010-11-05 2013-03-26 Netapp, Inc Hardware flow classification for data storage services
US8612615B2 (en) 2010-11-23 2013-12-17 Red Hat, Inc. Systems and methods for identifying usage histories for producing optimized cloud utilization
JP5725812B2 (en) 2010-11-25 2015-05-27 キヤノン株式会社 Document processing apparatus, document processing method, and program
US8560792B2 (en) 2010-12-16 2013-10-15 International Business Machines Corporation Synchronous extent migration protocol for paired storage
US10176018B2 (en) 2010-12-21 2019-01-08 Intel Corporation Virtual core abstraction for cloud computing
US8832111B2 (en) 2010-12-30 2014-09-09 Facebook, Inc. Distributed cache for graph data
US8495356B2 (en) 2010-12-31 2013-07-23 International Business Machines Corporation System for securing virtual machine disks on a remote shared storage subsystem
US8935383B2 (en) 2010-12-31 2015-01-13 Verisign, Inc. Systems, apparatus, and methods for network data analysis
US20120179909A1 (en) 2011-01-06 2012-07-12 Pitney Bowes Inc. Systems and methods for providing individual electronic document secure storage, retrieval and use
US8448171B2 (en) 2011-01-07 2013-05-21 International Business Machines Corporation Communications between virtual machines that have been migrated
US8495252B2 (en) 2011-01-17 2013-07-23 International Business Machines Corporation Implementing PCI-express memory domains for single root virtualized devices
US20120182891A1 (en) 2011-01-19 2012-07-19 Youngseok Lee Packet analysis system and method using hadoop based parallel computation
US9225554B2 (en) 2011-01-26 2015-12-29 Cisco Technology, Inc. Device-health-based dynamic configuration of network management systems suited for network operations
US8619568B2 (en) 2011-02-04 2013-12-31 Cisco Technology, Inc. Reassignment of distributed packet flows
US20120204187A1 (en) 2011-02-08 2012-08-09 International Business Machines Corporation Hybrid Cloud Workload Management
US9063789B2 (en) 2011-02-08 2015-06-23 International Business Machines Corporation Hybrid cloud integrator plug-in components
US8805951B1 (en) 2011-02-08 2014-08-12 Emc Corporation Virtual machines and cloud storage caching for cloud computing applications
US9009697B2 (en) 2011-02-08 2015-04-14 International Business Machines Corporation Hybrid cloud integrator
JP5969515B2 (en) 2011-02-22 2016-08-17 フェデックス コーポレイト サービシズ,インコーポレイティド System and method for geostaging sensor data through a distributed global (cloud) architecture
US9053580B2 (en) 2011-02-25 2015-06-09 International Business Machines Corporation Data processing environment integration control interface
US8832818B2 (en) 2011-02-28 2014-09-09 Rackspace Us, Inc. Automated hybrid connections between multiple environments in a data center
US20120236716A1 (en) 2011-03-14 2012-09-20 Atheros Communications, Inc. Profile-based quality of service for wireless communication systems
KR101544482B1 (en) 2011-03-15 2015-08-21 주식회사 케이티 Cloud center controlling apparatus and cloud center selecting method of the same
JP5757324B2 (en) 2011-03-31 2015-07-29 日本電気株式会社 Computer system and communication method
US8875240B2 (en) 2011-04-18 2014-10-28 Bank Of America Corporation Tenant data center for establishing a virtual machine in a cloud environment
KR101544485B1 (en) 2011-04-25 2015-08-17 주식회사 케이티 Method and apparatus for selecting a node to place a replica in cloud storage system
US8806015B2 (en) 2011-05-04 2014-08-12 International Business Machines Corporation Workload-aware placement in private heterogeneous clouds
US9253159B2 (en) 2011-05-06 2016-02-02 Citrix Systems, Inc. Systems and methods for cloud bridging between public and private clouds
US9253252B2 (en) 2011-05-06 2016-02-02 Citrix Systems, Inc. Systems and methods for cloud bridging between intranet resources and cloud resources
US8977754B2 (en) 2011-05-09 2015-03-10 Metacloud Inc. Composite public cloud, method and system
US8590050B2 (en) 2011-05-11 2013-11-19 International Business Machines Corporation Security compliant data storage management
CN102164091B (en) 2011-05-13 2015-01-21 北京星网锐捷网络技术有限公司 Method for building MAC (Media Access Control) address table and provider edge device
US8719627B2 (en) 2011-05-20 2014-05-06 Microsoft Corporation Cross-cloud computing for capacity management and disaster recovery
US9104460B2 (en) 2011-05-31 2015-08-11 Red Hat, Inc. Inter-cloud live migration of virtualization systems
WO2012166106A1 (en) 2011-05-31 2012-12-06 Hewlett-Packard Development Company, L.P. Estimating a performance parameter of a job having map and reduce tasks after a failure
US8984104B2 (en) 2011-05-31 2015-03-17 Red Hat, Inc. Self-moving operating system installation in cloud-based network
US8959526B2 (en) 2011-06-09 2015-02-17 Microsoft Corporation Scheduling execution of complementary jobs based on resource usage
US8806003B2 (en) 2011-06-14 2014-08-12 International Business Machines Corporation Forecasting capacity available for processing workloads in a networked computing environment
US8547975B2 (en) 2011-06-28 2013-10-01 Verisign, Inc. Parallel processing for multiple instance real-time monitoring
US8589543B2 (en) 2011-07-01 2013-11-19 Cisco Technology, Inc. Virtual data center monitoring
US8959003B2 (en) 2011-07-07 2015-02-17 International Business Machines Corporation Interactive data visualization for trend analysis
US20130036213A1 (en) 2011-08-02 2013-02-07 Masum Hasan Virtual private clouds
US8958298B2 (en) 2011-08-17 2015-02-17 Nicira, Inc. Centralized logical L3 routing
US20140156557A1 (en) 2011-08-19 2014-06-05 Jun Zeng Providing a Simulation Service by a Cloud-Based Infrastructure
US8630291B2 (en) 2011-08-22 2014-01-14 Cisco Technology, Inc. Dynamic multi-path forwarding for shared-media communication networks
US9225772B2 (en) 2011-09-26 2015-12-29 Knoa Software, Inc. Method, system and program product for allocation and/or prioritization of electronic resources
WO2013046287A1 (en) 2011-09-26 2013-04-04 株式会社日立製作所 Management computer and method for analysing root cause
CN103023762A (en) 2011-09-27 2013-04-03 阿尔卡特朗讯公司 Cloud computing access gateway and method for providing access to cloud provider for user terminal
US9250941B2 (en) 2011-09-30 2016-02-02 Telefonaktiebolaget L M Ericsson (Publ) Apparatus and method for segregating tenant specific data when using MPLS in openflow-enabled cloud computing
US8560663B2 (en) 2011-09-30 2013-10-15 Telefonaktiebolaget L M Ericsson (Publ) Using MPLS for virtual private cloud network isolation in openflow-enabled cloud computing
US20130091557A1 (en) 2011-10-11 2013-04-11 Wheel Innovationz, Inc. System and method for providing cloud-based cross-platform application stores for mobile computing devices
DE102012217202B4 (en) 2011-10-12 2020-06-18 International Business Machines Corporation Method and system for optimizing the placement of virtual machines in cloud computing environments
US9201690B2 (en) 2011-10-21 2015-12-01 International Business Machines Corporation Resource aware scheduling in a distributed computing environment
US8789179B2 (en) 2011-10-28 2014-07-22 Novell, Inc. Cloud protection techniques
US9311160B2 (en) 2011-11-10 2016-04-12 Verizon Patent And Licensing Inc. Elastic cloud networking
US20130124628A1 (en) * 2011-11-15 2013-05-16 Srilal Weerasinghe Method and apparatus for providing social network based advertising with user control and privacy
US8832249B2 (en) 2011-11-30 2014-09-09 At&T Intellectual Property I, L.P. Methods and apparatus to adjust resource allocation in a distributive computing network
US9916184B2 (en) 2011-12-02 2018-03-13 International Business Machines Corporation Data relocation in global storage cloud environments
US20130152076A1 (en) 2011-12-07 2013-06-13 Cisco Technology, Inc. Network Access Control Policy for Virtual Machine Migration
US9113376B2 (en) 2011-12-09 2015-08-18 Cisco Technology, Inc. Multi-interface mobility
US8694995B2 (en) 2011-12-14 2014-04-08 International Business Machines Corporation Application initiated negotiations for resources meeting a performance parameter in a virtualized computing environment
US8832262B2 (en) 2011-12-15 2014-09-09 Cisco Technology, Inc. Normalizing network performance indexes
US10134056B2 (en) 2011-12-16 2018-11-20 Ebay Inc. Systems and methods for providing information based on location
US8547379B2 (en) 2011-12-29 2013-10-01 Joyent, Inc. Systems, methods, and media for generating multidimensional heat maps
US8555339B2 (en) 2012-01-06 2013-10-08 International Business Machines Corporation Identifying guests in web meetings
US8732291B2 (en) 2012-01-13 2014-05-20 Accenture Global Services Limited Performance interference model for managing consolidated workloads in QOS-aware clouds
US8908698B2 (en) 2012-01-13 2014-12-09 Cisco Technology, Inc. System and method for managing site-to-site VPNs of a cloud managed network
US9336061B2 (en) 2012-01-14 2016-05-10 International Business Machines Corporation Integrated metering of service usage for hybrid clouds
US9529348B2 (en) 2012-01-24 2016-12-27 Emerson Process Management Power & Water Solutions, Inc. Method and apparatus for deploying industrial plant simulators using cloud computing technologies
US9887894B2 (en) 2012-01-27 2018-02-06 Microsoft Technology Licensing, Llc Recommendations for reducing data consumption based on data usage profiles
US9967159B2 (en) 2012-01-31 2018-05-08 Infosys Limited Systems and methods for providing decision time brokerage in a hybrid cloud ecosystem
US8660129B1 (en) 2012-02-02 2014-02-25 Cisco Technology, Inc. Fully distributed routing over a user-configured on-demand virtual network for infrastructure-as-a-service (IaaS) on hybrid cloud networks
US9451303B2 (en) 2012-02-27 2016-09-20 The Nielsen Company (Us), Llc Method and system for gathering and computing an audience's neurologically-based reactions in a distributed framework involving remote storage and computing
US10097406B2 (en) 2012-03-19 2018-10-09 Level 3 Communications, Llc Systems and methods for data mobility with a cloud architecture
US9350671B2 (en) 2012-03-22 2016-05-24 Futurewei Technologies, Inc. Supporting software defined networking with application layer traffic optimization
US20130254415A1 (en) 2012-03-26 2013-09-26 F. Brian Fullen Routing requests over a network
FR2988943A1 (en) 2012-03-29 2013-10-04 France Telecom SYSTEM FOR SUPERVISING THE SAFETY OF AN ARCHITECTURE
EP2645257A3 (en) 2012-03-29 2014-06-18 Prelert Ltd. System and method for visualisation of behaviour within computer infrastructure
US8930747B2 (en) 2012-03-30 2015-01-06 Sungard Availability Services, Lp Private cloud replication and recovery
US9164795B1 (en) 2012-03-30 2015-10-20 Amazon Technologies, Inc. Secure tunnel infrastructure between hosts in a hybrid network environment
US9313048B2 (en) 2012-04-04 2016-04-12 Cisco Technology, Inc. Location aware virtual service provisioning in a hybrid cloud environment
US8856339B2 (en) 2012-04-04 2014-10-07 Cisco Technology, Inc. Automatically scaled network overlay with heuristic monitoring in a hybrid cloud environment
US9201704B2 (en) 2012-04-05 2015-12-01 Cisco Technology, Inc. System and method for migrating application virtual machines in a network environment
US8775576B2 (en) 2012-04-17 2014-07-08 Nimbix, Inc. Reconfigurable cloud computing
US9203784B2 (en) 2012-04-24 2015-12-01 Cisco Technology, Inc. Distributed virtual switch architecture for a hybrid cloud
US8918510B2 (en) 2012-04-27 2014-12-23 Hewlett-Packard Development Company, L. P. Evaluation of cloud computing services
US9223634B2 (en) 2012-05-02 2015-12-29 Cisco Technology, Inc. System and method for simulating virtual machine migration in a network environment
US8909780B1 (en) 2012-05-24 2014-12-09 Amazon Technologies, Inc. Connection following during network reconfiguration
WO2013186870A1 (en) 2012-06-13 2013-12-19 株式会社日立製作所 Service monitoring system and service monitoring method
US9183031B2 (en) 2012-06-19 2015-11-10 Bank Of America Corporation Provisioning of a virtual machine by using a secured zone of a cloud environment
US8938775B1 (en) 2012-06-27 2015-01-20 Amazon Technologies, Inc. Dynamic data loss prevention in a multi-tenant environment
US8909857B2 (en) 2012-06-29 2014-12-09 Broadcom Corporation Efficient storage of ACL frequent ranges in a ternary memory
US9215131B2 (en) 2012-06-29 2015-12-15 Cisco Technology, Inc. Methods for exchanging network management messages using UDP over HTTP protocol
US20140006585A1 (en) 2012-06-29 2014-01-02 Futurewei Technologies, Inc. Providing Mobility in Overlay Networks
US9167050B2 (en) 2012-08-16 2015-10-20 Futurewei Technologies, Inc. Control pool based enterprise policy enabler for controlled cloud access
US20140052877A1 (en) 2012-08-16 2014-02-20 Wenbo Mao Method and apparatus for tenant programmable logical network for multi-tenancy cloud datacenters
US9582221B2 (en) 2012-08-24 2017-02-28 Vmware, Inc. Virtualization-aware data locality in distributed data processing
US10097378B2 (en) 2012-09-07 2018-10-09 Cisco Technology, Inc. Efficient TCAM resource sharing
US9069979B2 (en) 2012-09-07 2015-06-30 Oracle International Corporation LDAP-based multi-tenant in-cloud identity management system
US9047181B2 (en) 2012-09-07 2015-06-02 Splunk Inc. Visualization of data from clusters
US9634922B2 (en) 2012-09-11 2017-04-25 Board Of Regents Of The Nevada System Of Higher Education, On Behalf Of The University Of Nevada, Reno Apparatus, system, and method for cloud-assisted routing
US9383900B2 (en) 2012-09-12 2016-07-05 International Business Machines Corporation Enabling real-time operational environment conformity to an enterprise model
US8924720B2 (en) 2012-09-27 2014-12-30 Intel Corporation Method and system to securely migrate and provision virtual machine images and content
US8850182B1 (en) 2012-09-28 2014-09-30 Shoretel, Inc. Data capture for secure protocols
US9301205B2 (en) 2012-10-04 2016-03-29 Benu Networks, Inc. Application and content awareness for self optimizing networks
US9369371B2 (en) 2012-10-05 2016-06-14 Cisco Technologies, Inc. Method and system for path monitoring using segment routing
CN106896762B (en) 2012-10-08 2020-07-10 费希尔-罗斯蒙特***公司 Configurable user display in a process control system
US9251114B1 (en) 2012-10-12 2016-02-02 Egnyte, Inc. Systems and methods for facilitating access to private files using a cloud storage system
US9361192B2 (en) 2012-10-19 2016-06-07 Oracle International Corporation Method and apparatus for restoring an instance of a storage server
US9264478B2 (en) 2012-10-30 2016-02-16 Microsoft Technology Licensing, Llc Home cloud with virtualized input and output roaming over network
US9424228B2 (en) 2012-11-01 2016-08-23 Ezchip Technologies Ltd. High performance, scalable multi chip interconnect
US9442954B2 (en) 2012-11-12 2016-09-13 Datawise Systems Method and apparatus for achieving optimal resource allocation dynamically in a distributed computing environment
US20140140211A1 (en) 2012-11-16 2014-05-22 Cisco Technology, Inc. Classification of traffic for application aware policies in a wireless network
US9338101B2 (en) 2012-12-06 2016-05-10 At&T Intellectual Property I, L.P. Advertising network layer reachability information specifying a quality of service for an identified network flow
US9049115B2 (en) 2012-12-13 2015-06-02 Cisco Technology, Inc. Enabling virtual workloads using overlay technologies to interoperate with physical network services
US20150070516A1 (en) 2012-12-14 2015-03-12 Biscotti Inc. Automatic Content Filtering
US9268808B2 (en) 2012-12-31 2016-02-23 Facebook, Inc. Placement policy
US9122510B2 (en) 2013-01-02 2015-09-01 International Business Machines Corporation Querying and managing computing resources in a networked computing environment
WO2014115157A1 (en) 2013-01-24 2014-07-31 Hewlett-Packard Development Comany, L.P. Address resolution in software-defined networks
US20140215471A1 (en) 2013-01-28 2014-07-31 Hewlett-Packard Development Company, L.P. Creating a model relating to execution of a job on platforms
US9274818B2 (en) 2013-02-06 2016-03-01 International Business Machines Corporation Reliable and scalable image transfer for data centers with low connectivity using redundancy detection
US9525564B2 (en) 2013-02-26 2016-12-20 Zentera Systems, Inc. Secure virtual network platform for enterprise hybrid cloud computing environments
US9183016B2 (en) 2013-02-27 2015-11-10 Vmware, Inc. Adaptive task scheduling of Hadoop in a virtualized environment
US9251115B2 (en) 2013-03-07 2016-02-02 Citrix Systems, Inc. Dynamic configuration in cloud computing environments
US9027087B2 (en) 2013-03-14 2015-05-05 Rackspace Us, Inc. Method and system for identity-based authentication of virtual machines
US9043439B2 (en) 2013-03-14 2015-05-26 Cisco Technology, Inc. Method for streaming packet captures from network access devices to a cloud server over HTTP
US9244775B2 (en) 2013-03-14 2016-01-26 International Business Machines Corporation Reducing reading of database logs by persisting long-running transaction data
US20140280805A1 (en) 2013-03-14 2014-09-18 Rackspace Us, Inc. Two-Sided Declarative Configuration for Cloud Deployment
US8954992B2 (en) 2013-03-15 2015-02-10 Lenovo Enterprise Solutions (Singapore) Pte. Ltd. Distributed and scaled-out network switch and packet processing
US9716634B2 (en) 2013-03-15 2017-07-25 International Business Machines Corporation Fulfillment of cloud service orders
US9454294B2 (en) 2013-03-15 2016-09-27 International Business Machines Corporation Creating, provisioning and managing virtual data centers
US20140282669A1 (en) 2013-03-15 2014-09-18 F. Gavin McMillan Methods and apparatus to identify companion media interaction
JP5983484B2 (en) 2013-03-21 2016-08-31 富士通株式会社 Information processing system, control program for controlling information processing apparatus, and control method for information processing system
WO2014165601A1 (en) 2013-04-02 2014-10-09 Orbis Technologies, Inc. Data center analytics and dashboard
US9438495B2 (en) 2013-04-02 2016-09-06 Amazon Technologies, Inc. Visualization of resources in a data center
US9973375B2 (en) 2013-04-22 2018-05-15 Cisco Technology, Inc. App store portal providing point-and-click deployment of third-party virtualized network functions
US9397929B2 (en) 2013-04-22 2016-07-19 Ciena Corporation Forwarding multicast packets over different layer-2 segments
US9407540B2 (en) 2013-09-06 2016-08-02 Cisco Technology, Inc. Distributed service chaining in a network environment
US10298499B2 (en) 2013-04-30 2019-05-21 Telefonaktiebolaget Lm Ericsson (Publ) Technique of operating a network node for load balancing
US20140366155A1 (en) 2013-06-11 2014-12-11 Cisco Technology, Inc. Method and system of providing storage services in multiple public clouds
US9621642B2 (en) 2013-06-17 2017-04-11 Telefonaktiebolaget Lm Ericsson (Publ) Methods of forwarding data packets using transient tables and related load balancers
US9535970B2 (en) 2013-06-28 2017-01-03 Sap Se Metric catalog system
US9632858B2 (en) 2013-07-28 2017-04-25 OpsClarity Inc. Organizing network performance metrics into historical anomaly dependency data
US9426060B2 (en) 2013-08-07 2016-08-23 International Business Machines Corporation Software defined network (SDN) switch clusters having layer-3 distributed router functionality
US9401860B2 (en) 2013-08-09 2016-07-26 Citrix Systems, Inc. High performance quality-of-service packet scheduling for multiple packet processing engines
US9311140B2 (en) 2013-08-13 2016-04-12 Vmware, Inc. Method and apparatus for extending local area networks between clouds and migrating virtual machines using static network addresses
US9338223B2 (en) 2013-08-14 2016-05-10 Verizon Patent And Licensing Inc. Private cloud topology management system
US9104334B2 (en) 2013-08-20 2015-08-11 Avago Technologies General Ip (Singapore) Pte. Ltd Performance improvements in input/output operations between a host system and an adapter-coupled cache
US9043576B2 (en) 2013-08-21 2015-05-26 Simplivity Corporation System and method for virtual machine conversion
US9686154B2 (en) 2013-08-21 2017-06-20 International Business Machines Corporation Generating a service-catalog entry from discovered attributes of provisioned virtual machines
US10402194B2 (en) 2013-09-20 2019-09-03 Infosys Limited Systems and methods for extracting cross language dependencies and estimating code change impact in software
US9304804B2 (en) 2013-10-14 2016-04-05 Vmware, Inc. Replicating virtual machines across different virtualization platforms
US20150106805A1 (en) 2013-10-15 2015-04-16 Cisco Technology, Inc. Accelerated instantiation of cloud resource
US9264362B2 (en) 2013-10-17 2016-02-16 Cisco Technology, Inc. Proxy address resolution protocol on a controller device
US9634944B2 (en) 2013-10-24 2017-04-25 Dell Products, Lp Multi-level iSCSI QoS for target differentiated data in DCB networks
WO2015061706A1 (en) 2013-10-24 2015-04-30 University Of Houston System Location-based network routing
US10146607B2 (en) 2013-11-26 2018-12-04 Anunta Technology Management Services Ltd. Troubleshooting of cloud-based application delivery
KR20150070676A (en) 2013-12-17 2015-06-25 소프팅스 주식회사 Personal Home Cloud Computer System
US10915449B2 (en) 2013-12-19 2021-02-09 Hewlett Packard Enterprise Development Lp Prioritizing data requests based on quality of service
WO2015100656A1 (en) 2013-12-31 2015-07-09 华为技术有限公司 Method and device for implementing virtual machine communication
US9992103B2 (en) 2014-01-24 2018-06-05 Cisco Technology, Inc. Method for providing sticky load balancing
US9529657B2 (en) 2014-02-07 2016-12-27 Oracle International Corporation Techniques for generating diagnostic identifiers to trace events and identifying related diagnostic information
US9678731B2 (en) 2014-02-26 2017-06-13 Vmware, Inc. Methods and apparatus to generate a customized application blueprint
US20150249709A1 (en) 2014-02-28 2015-09-03 Vmware, Inc. Extending cloud storage with private devices
US9253204B2 (en) 2014-03-19 2016-02-02 International Business Machines Corporation Generating accurate preemptive security device policy tuning recommendations
US9591064B2 (en) 2014-03-31 2017-03-07 Verizon Patent And Licensing Inc. Method and apparatus for dynamic provisioning of communication services
US9722945B2 (en) 2014-03-31 2017-08-01 Microsoft Technology Licensing, Llc Dynamically identifying target capacity when scaling cloud resources
US9755858B2 (en) 2014-04-15 2017-09-05 Cisco Technology, Inc. Programmable infrastructure gateway for enabling hybrid cloud services in a network environment
US20150309908A1 (en) 2014-04-29 2015-10-29 Hewlett-Packard Development Company, L.P. Generating an interactive visualization of metrics collected for functional entities
US20150319063A1 (en) 2014-04-30 2015-11-05 Jive Communications, Inc. Dynamically associating a datacenter with a network device
US9473365B2 (en) 2014-05-08 2016-10-18 Cisco Technology, Inc. Collaborative inter-service scheduling of logical resources in cloud platforms
US9483378B2 (en) 2014-05-21 2016-11-01 Dynatrace Llc Method and system for resource monitoring of large-scale, orchestrated, multi process job execution environments
US9582254B2 (en) 2014-05-22 2017-02-28 Oracle International Corporation Generating runtime components
US9426221B2 (en) 2014-06-18 2016-08-23 International Business Machines Corporation Dynamic proximity based networked storage
US10375024B2 (en) 2014-06-20 2019-08-06 Zscaler, Inc. Cloud-based virtual private access systems and methods
US9613078B2 (en) 2014-06-26 2017-04-04 Amazon Technologies, Inc. Multi-database log with multi-item transaction support
US10122605B2 (en) 2014-07-09 2018-11-06 Cisco Technology, Inc Annotation of network activity through different phases of execution
US20160013990A1 (en) 2014-07-09 2016-01-14 Cisco Technology, Inc. Network traffic management using heat maps with actual and planned /estimated metrics
CN105446793B (en) 2014-08-28 2018-08-28 国际商业机器公司 The method and apparatus for migrating fictitious assets
US9825878B2 (en) 2014-09-26 2017-11-21 Cisco Technology, Inc. Distributed application framework for prioritizing network traffic using application priority awareness
US9634928B2 (en) 2014-09-29 2017-04-25 Juniper Networks, Inc. Mesh network of simple nodes with centralized control
US9600337B2 (en) 2014-09-30 2017-03-21 Nimble Storage, Inc. Congestion avoidance in network storage device using dynamic weights
US10257095B2 (en) 2014-09-30 2019-04-09 Nicira, Inc. Dynamically adjusting load balancing
US10834450B2 (en) 2014-09-30 2020-11-10 Nbcuniversal Media, Llc Digital content audience matching and targeting system and method
US20160099847A1 (en) 2014-10-02 2016-04-07 Cisco Technology, Inc. Method for non-disruptive cloud infrastructure software component deployment
US10592093B2 (en) 2014-10-09 2020-03-17 Splunk Inc. Anomaly detection
US11087263B2 (en) 2014-10-09 2021-08-10 Splunk Inc. System monitoring with key performance indicators from shared base search of machine data
US10757170B2 (en) 2014-10-13 2020-08-25 Vmware, Inc. Cross-cloud namespace management for multi-tenant environments
US9558078B2 (en) 2014-10-28 2017-01-31 Microsoft Technology Licensing, Llc Point in time database restore from storage snapshots
CN104320342B (en) 2014-10-29 2017-10-27 新华三技术有限公司 Message forwarding method and device in a kind of transparent interconnection of lots of links internet
US9871745B2 (en) 2014-11-12 2018-01-16 International Business Machines Corporation Automatic scaling of at least one user application to external clouds
KR102255216B1 (en) 2014-11-20 2021-05-24 삼성전자주식회사 Pci device and pci system including the same
US9602544B2 (en) 2014-12-05 2017-03-21 Viasat, Inc. Methods and apparatus for providing a secure overlay network between clouds
US9792245B2 (en) 2014-12-09 2017-10-17 Avago Technologies General Ip (Singapore) Pte. Ltd. Peripheral component interconnect express (PCIe) devices with efficient memory mapping by remapping a plurality of base address registers (BARs)
US9747249B2 (en) 2014-12-29 2017-08-29 Nicira, Inc. Methods and systems to achieve multi-tenancy in RDMA over converged Ethernet
US9075649B1 (en) 2015-01-26 2015-07-07 Storagecraft Technology Corporation Exposing a proprietary image backup to a hypervisor as a disk file that is bootable by the hypervisor
US10050862B2 (en) 2015-02-09 2018-08-14 Cisco Technology, Inc. Distributed application framework that uses network and application awareness for placing data
US9736063B2 (en) 2015-02-17 2017-08-15 Huawei Technologies Co., Ltd. Service chaining using source routing
US9983973B2 (en) 2015-02-18 2018-05-29 Unravel Data Systems, Inc. System and method for analyzing big data activities
US10037617B2 (en) 2015-02-27 2018-07-31 Cisco Technology, Inc. Enhanced user interface systems including dynamic context selection for cloud-based networks
US10708342B2 (en) 2015-02-27 2020-07-07 Cisco Technology, Inc. Dynamic troubleshooting workspaces for cloud and network management systems
US10114966B2 (en) 2015-03-19 2018-10-30 Netskope, Inc. Systems and methods of per-document encryption of enterprise information stored on a cloud computing service (CCS)
US9432294B1 (en) 2015-03-21 2016-08-30 Cisco Technology, Inc. Utilizing user-specified access control lists in conjunction with redirection and load-balancing on a port
US9954783B1 (en) 2015-03-31 2018-04-24 Cisco Technology, Inc. System and method for minimizing disruption from failed service nodes
US9444744B1 (en) 2015-04-04 2016-09-13 Cisco Technology, Inc. Line-rate selective load balancing of permitted network traffic
US9727359B2 (en) 2015-04-27 2017-08-08 Red Hat Israel, Ltd. Virtual machine function based sub-page base address register access for peripheral component interconnect device assignment
US10554620B2 (en) 2015-05-29 2020-02-04 Cisco Technology, Inc. Default gateway extension
US9542115B1 (en) 2015-06-23 2017-01-10 Netapp, Inc. Methods and systems for trouble shooting performance issues in networked storage systems
US20170024260A1 (en) 2015-07-21 2017-01-26 Cisco Technology, Inc. Workload migration across cloud providers and data centers
US20170026470A1 (en) 2015-07-22 2017-01-26 Cisco Technology, Inc. Intercloud audience and content analytics
US9705909B2 (en) 2015-07-29 2017-07-11 Verizon Digital Media Services Inc. Automatic detection and mitigation of security weaknesses with a self-configuring firewall
US9667657B2 (en) 2015-08-04 2017-05-30 AO Kaspersky Lab System and method of utilizing a dedicated computer security service
US9781209B2 (en) 2015-08-20 2017-10-03 Intel Corporation Techniques for routing packets between virtual machines
US10547540B2 (en) 2015-08-29 2020-01-28 Vmware, Inc. Routing optimization for inter-cloud connectivity
US10067780B2 (en) 2015-10-06 2018-09-04 Cisco Technology, Inc. Performance-based public cloud selection for a hybrid cloud environment
US11005682B2 (en) 2015-10-06 2021-05-11 Cisco Technology, Inc. Policy-driven switch overlay bypass in a hybrid cloud network environment
US10462136B2 (en) 2015-10-13 2019-10-29 Cisco Technology, Inc. Hybrid cloud security groups
US9804988B1 (en) 2015-10-30 2017-10-31 Amazon Technologies, Inc. Device full memory access through standard PCI express bus
US20170126583A1 (en) 2015-11-03 2017-05-04 Le Holdings (Beijing) Co., Ltd. Method and electronic device for bandwidth allocation based on online media services
US9912614B2 (en) 2015-12-07 2018-03-06 Brocade Communications Systems LLC Interconnection of switches based on hierarchical overlay tunneling
US10142293B2 (en) 2015-12-15 2018-11-27 International Business Machines Corporation Dynamically defined virtual private network tunnels in hybrid cloud environments
CN105740084B (en) 2016-01-27 2018-08-24 北京航空航天大学 Consider the cloud computing system Reliability Modeling of common cause fault
US11245593B2 (en) 2016-04-25 2022-02-08 Vmware, Inc. Frequency-domain analysis of data-center operational and performance metrics
US10237187B2 (en) 2016-04-29 2019-03-19 Citrix Systems, Inc. System and method for service chain load balancing
US10129177B2 (en) 2016-05-23 2018-11-13 Cisco Technology, Inc. Inter-cloud broker for hybrid cloud networks
EP3291120B1 (en) 2016-09-06 2021-04-21 Accenture Global Solutions Limited Graph database analysis for network anomaly detection systems
US10409367B2 (en) 2016-12-21 2019-09-10 Ca, Inc. Predictive graph selection
US10346762B2 (en) 2016-12-21 2019-07-09 Ca, Inc. Collaborative data analytics application

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6298153B1 (en) * 1998-01-16 2001-10-02 Canon Kabushiki Kaisha Digital signature method and information communication system and apparatus using such method
US20070242830A1 (en) * 2004-06-25 2007-10-18 Koninklijke Philips Electronics, N.V. Anonymous Certificates with Anonymous Certificate Show
US20090083183A1 (en) * 2007-09-21 2009-03-26 Microsoft Corporation Distributed secure anonymous conferencing
US20090265753A1 (en) * 2008-04-16 2009-10-22 Sun Microsystems, Inc. Using opaque groups in a federated identity management environment
US20100131765A1 (en) * 2008-11-26 2010-05-27 Microsoft Corporation Anonymous verifiable public key certificates
US20100325441A1 (en) * 2009-06-23 2010-12-23 Bennet Laurie Privacy-preserving flexible anonymous-pseudonymous access
US20110213966A1 (en) * 2010-02-26 2011-09-01 Christina Fu Automatically generating a certificate operation request
US9628471B1 (en) * 2011-05-03 2017-04-18 Symantec Corporation Protecting user identity at a cloud using a distributed user identity system
US20130162753A1 (en) * 2011-12-22 2013-06-27 Verizon Patent And Licensing, Inc. Multi-enterprise video conference service
US20140141720A1 (en) * 2012-11-21 2014-05-22 Acer Incorporated Cloud Service for making Social Connections

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170171248A1 (en) * 2015-12-14 2017-06-15 International Business Machines Corporation Method and Apparatus for Data Protection in Cloud-Based Matching System
US9992231B2 (en) * 2015-12-14 2018-06-05 International Business Machines Corporation Method and apparatus for data protection in cloud-based matching system
US10348784B2 (en) * 2017-02-15 2019-07-09 Microsoft Technology Licensing, Llc Conferencing server directly accessible from public internet
US11019117B2 (en) * 2017-02-15 2021-05-25 Microsoft Technology Licensing, Llc Conferencing server
WO2020174121A1 (en) * 2019-02-28 2020-09-03 Nokia Technologies Oy Inter-mobile network communication authorization
US11075892B2 (en) * 2019-03-21 2021-07-27 ColorTokens, Inc. Fully cloaked network communication model for remediation of traffic analysis based network attacks
US20220247730A1 (en) * 2021-01-29 2022-08-04 Apple Inc. Electronic conferencing
US20220329574A1 (en) * 2021-01-29 2022-10-13 Zoom Video Communications, Inc. Locking encrypted video conferences
US11750578B2 (en) * 2021-01-29 2023-09-05 Zoom Video Communications, Inc. Locking encrypted video conferences
WO2023129730A1 (en) * 2021-12-30 2023-07-06 TruU, Inc. Remotely accessing an endpoint device using a distributed systems architecture
EP4224789A1 (en) * 2022-02-07 2023-08-09 Abb Schweiz Ag Access control enforcement architectures for dynamic manufacturing systems
CN114827134A (en) * 2022-07-01 2022-07-29 深圳乐播科技有限公司 Differentiated pushing method, related device and display method for cloud conference desktop

Also Published As

Publication number Publication date
US10523657B2 (en) 2019-12-31

Similar Documents

Publication Publication Date Title
US10523657B2 (en) Endpoint privacy preservation with cloud conferencing
US11658956B2 (en) Secure access to virtual machines in heterogeneous cloud environments
AU2014236926B2 (en) Software-defined multinetwork bridge
US10666638B2 (en) Certificate-based dual authentication for openflow enabled switches
JP2022546563A (en) Consolidating Policy Planes Across Multiple Domains
US9286444B2 (en) Next generation secure gateway
US20180013798A1 (en) Automatic link security
JP2018518862A (en) System and method for providing virtual interfaces and advanced smart routing in a global virtual network (GVN)
US20130205025A1 (en) Optimized Virtual Private Network Routing Through Multiple Gateways
US11601358B2 (en) Cross datacenter communication using a mesh gateway
US9503392B2 (en) Enhance private cloud system provisioning security
US20230269139A1 (en) Software defined access fabric without subnet restriction to a virtual network
Chung et al. Advance reservation access control using software-defined networking and tokens
WO2019140486A1 (en) Provisioning network ports and virtual links
US11218918B2 (en) Fast roaming and uniform policy for wireless clients with distributed hashing
Jouin Network Service Mesh Solving Cloud Native IMS Networking Needs
TWI836974B (en) Private and secure chat connection mechanism for use in a private communication architecture
Rauthan Covert Communication in Software Defined Wide Area Networks
Karim Design of the intelligent WAN for the next generation
JP2022510555A (en) End-to-end ID recognition routing across multiple management domains
Ossipov Firepower Platform Deep Dive

Legal Events

Date Code Title Description
AS Assignment

Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:REDDY, K TIRUMALESWAR;WING, DANIEL G.;PATIL, PRASHANTH;AND OTHERS;SIGNING DATES FROM 20151019 TO 20151113;REEL/FRAME:037052/0868

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4